Paving the Way for Secure DevOps in the Cloud

Would you rather: muddle your way through a dark, pot-hole laden, overgrown path, or coast home on a wide-open road with the wind in your hair? In the world of application development, DevOps craves that smooth, open road, unimpeded by friction. Finding the right path can be challenging for many organizations, and achieving that open road shouldn't mean compromising security.

For the last seven years, SANS has conducted an annual survey on application security and DevOps. This year they sought to understand how organizations are building and deploying applications in the cloud, and whether or not security is able to keep pace with DevOps teams.

Delivery at High Velocity

The results of the survey reveal that organizations are launching updates at an increasingly rapid pace, stating that "today, almost three-quarters (74%) of organizations are delivering changes more than once per month, an increase in velocity of 14% over the past three years."

In a world where a competitive edge is marked by updates that are launched in days or hours, not weeks, security concerns can result in a priority tug-of-war with DevOps caught in the middle—and when security is pitted against velocity, it looks a lot like friction.

To solve these competing priorities and create an environment where security is maintained without slowing down dev teams, SANS makes a strong case that integrating DevSecOps is a smart way forward, saying "for organizations to develop secure software without roadblocks, organizations need to focus more on automating testing, and shift that testing earlier in the process to offer a clearer path for developers."

Trust Security to Pave the Way

Here's where that wide-open road comes in: Imagine security as a road crew. They can move ahead of DevOps to pave a smooth, safe path forward. But if the security team is brought on too late in the process, you run into a construction traffic jam mid-drive. To clear the way for seamless development and deployment in a cloud environment, organizations are discovering that integrating security into the dev process can help security get ahead and minimize those roadblocks.

At ExtraHop, we've seen first-hand how some of our customers have integrated security into DevOps with tremendous success, and network visibility tools such as network detection and response (NDR) can help when it comes to automating that process, by allowing security to pull data or scan for vulnerabilities faster so that they can keep pace with development.

Find New Paths to Success

In their analysis, SANS lays out tools that can help bridge gaps, but they by no means imply that the secret to DevSecOps success is purely a technical one. They cite organizational causes, including resources, bureaucracy and silos as barriers to success—but note that shifting workloads to cloud providers can help alleviate some of the risk burden while adding scalability.

SANS' analysis offers some best practices for those looking to optimize their DevOps teams. For deeper insight, including a breakdown of the cloud landscape for application development and tools that support DevSecOps, read the full paper.