Today, most DevOps teams place priorities on software delivery speed as well as software security. These are not always easily reconcilable goals. Sometimes, maximizing security means reducing the speed at which you deliver software.
But it doesn’t have to be that way. A properly designed CI/CD pipeline can optimize security without slowing down delivery. Let’s explore how.
The Tension Between Speed and Security in CI/CD
Most CI/CD processes were designed first and foremost with software delivery speed in mind. After all, delivering rapid updates, achieving agility and resolving application problems quickly are the major selling points for organizations to move from waterfall to CI/CD strategies.
While maximizing software delivery speed is a great thing, the problem with many traditional CI/CD pipelines is that they treated security planning and testing as afterthoughts. Security operations in many cases remained siloed away from the rest of the software delivery pipeline.
The exclusion of security from CI/CD pipelines makes sense if your only goal is to get software out the door as quickly as possible. The more components and people you add to a workflow, the slower things tend to get, and so integrating security is not a good way to maximize delivery speed.
From a security standpoint, however, this approach is less than ideal. If you don’t give security the same priority as you give delivery speed, you might miss vulnerabilities during development and testing, leaving your application prone to breaches in production. And if you do discover security issues prior to release, correcting them takes longer if security operations are performed in a silo, out of sync with CI/CD processes.
Maximizing Software Security and Speed
The ultimate goal of a DevOps team, then, should be to maximize software delivery speed without compromising security. Fortunately, there’s a way to do that. It entails integrating security into the CI/CD pipeline so that security planning and testing are performed in parallel with all other software delivery processes.
On the surface, integrating security into the CI/CD pipeline might seem like a way to slow down delivery, rather than keep it speedy—and it is if you don’t take the right approach. The more people and processes you add to your continuous delivery workflow, the higher the risk of delays.
To avoid that risk and keep the CI/CD pipeline running smoothly even with security operations fully integrated, DevOps teams should focus on the following:
- Automating security processes. Automation is the enabler of DevOps, and that applies to security processes, too. Automated security tools will keep your CI/CD pipeline flowing smoothly. Manual security processes will slow it down.
- Integrating security across the pipeline. Bringing security processes into the CI/CD pipeline effectively means performing security tasks at all stages of the pipeline, rather than at just a few points. Involving security admins in the application architecture process, or running security tests just before release, is not enough on its own to prevent the security-related delays that could slow down continuous delivery.
- Embracing continuous feedback. Security operations shouldn’t end with production deployment and monitoring. Your DevOps team should also gather continuous feedback about security effectiveness and use it to plan future application updates. Otherwise, your team will lack the security insights required to maximize efficiency and avoid potential delays.
- Deploy multiple security processes. You might be tempted to limit the number of security processes that you add to your CI/CD workflow in the interest of minimizing complexity and potential delays. However, it’s important to remember that modern security threats come in many forms, and no single type of defense is sufficient. Your CI/CD pipeline should therefore include all of the security checks and tests you need to keep your application secure. Test your application for compliance with firewall policies, runtime security, access control and so on, because all of these tests are important for maximizing security.
Rethinking the Value of DevSecOps: It’s About Speed, Not Just Security
So far, I’ve avoided the term DevSecOps in this article. But what I’ve described above is basically a DevSecOps approach to application delivery. DevSecOps is all about integrating security into the rest of the delivery pipeline, and by now, most DevOps engineers are familiar with the concept.
What you may not have spent much time thinking about is the role of DevSecOps in optimizing software delivery speed. When we talk about the value of DevSecOps, we tend to focus on it as a way of improving security by applying DevOps principles to security workflows.
Improving overall security is one benefit of DevSecOps. But so is the ability of DevSecOps to maximize software security without compromising delivery speed.If you don’t embrace DevSecOps, you have to choose between security and continuous delivery. You can’t have it all.
What DevSecOps enables, however, is a CI/CD workflow where speed and security are both possible. You get the best of both worlds.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
AWS Fargate 101
AWS Fargate is one of the newest services in the world of containers. ...
Security Alert: ESlint Malicious Packages Insights
On July 12, 2018, the ESLint project experienced a security incident, ...
Serverless Comparison: Lambda vs. Azure vs. GCP vs. OpenWhisk
Serverless computing adoption is growing at exponential rates. As with...
4 Steps to Jumpstart your DevSecOps Practices
If you understand DevOps, you probably also intuitively understand Dev...
Securing Istio with Twistlock
This article is about Istio, a new service mesh management platform th...