DevOps is an effective way for companies to speed up product development, but there’s a risk if security measures don’t keep pace.
“Companies sometimes move too fast with DevOps because of business demands and they don’t have time to apply the security framework to all of the new applications,” said Fernando Cardoso, Solution Architect at Trend Micro. The good news is that it’s possible to do both at the same time, Cardoso told participants at a recent ITWC webinar.
The practice of DevOps is intended to improve collaboration between IT and operations to enable continuous delivery of new products and features. It’s just as important to make sure security is fully integrated into the development process, said Cardoso.
The two biggest mistakes to avoid
A common mistake that organizations make is allowing the traditional barriers between developers and the IT security team to persist. “Back in the day, developers made code and sent it to production,” said Cardoso. “There was a wall between the two teams, which creates problems in production.”
This can be complicated by the fact that the two teams have conflicting objectives. “One needs to create new products and features quickly, while the other wants no downtime,” said Cardoso.
DevOps is supposed to bridge this chasm, but “most customers say they have DevOps, but not a lot of security deployed in the process,” Cardoso said.
The second biggest mistake occurs when organizations fail to adapt their security tools to a new architecture. Organizations are moving away from monolithic infrastructures that need new operating systems for every new application, said Cardoso. Instead, they’re adopting microservices using containers for each application and running them over one operating system. “Every single app in the future will be a microservice,” added Cardoso.
With microservices, organizations can move much faster, because they don’t need to upgrade everything in a monolithic fashion, said Cardoso. However, the use of containers and the tools to manage them calls for a change in the approach to security.
What to do instead
To close the gap between the development and IT security teams, companies need to improve collaboration and training. “Security should be involved from the very first day of a new app,” said Cardoso. As well, security teams and DevOps need to learn to talk the same language. “I always encourage security to learn more about development. They come to DevOps and say ‘you can’t do this’. They need to understand DevOps and adapt security tools.”
Secondly, organizations need multiple layers of automated security tools in a microservices architecture. At the pre-deployment phase, this includes testing to find issues in the code and potential vulnerabilities, as well as container scanning to detect problems like malware. After deployment, security protection tools can block malicious code sent to a container or attacks on another container on the same host. These tools are particularly useful to provide the layers of security needed in hybrid cloud architecture, said Cardoso.
With these steps, security becomes part of the continuous integration and deployment pipeline, allowing organizations to move forward quickly and securely.