Weaving Security Into DevOps Atop Cloud Infrastructure

An Intellyx BrainBlog & Infographic by Jason English, for Bridgecrew

When looking at the early threads of software development, skill specialization was the name of the game. Developers coded new features. QA teams discovered bugs. IT Ops teams managed hardware. Security teams blocked threats. Project managers managed.

At some point in the last decade, these separate threads of specialized software disciplines gradually wove themselves together. First, agile methodologies pulled many aspects of requirements definition, testing, and delivery back into smaller development teams. Then, the DevOps movement caused multiple stakeholders from all disciplines to collaborate far more closely—from design to release.

When on-demand cloud infrastructure and fully automated infrastructure as code (IaC) started stitching together the underpinning fabric of DevOps practices, the responsibilities of developers started expanding to include much more than application code. In the context of cloud-native development, infrastructure specification, observability, and of course security must now be encompassed into a proactive DevSecOps lifecycle.

Short of expecting developers to become security experts, how can we weave security into the DevOps lifecycle, so teams can release with confidence without slowing down releases?

Threading secure dev practices into code

You’ve probably heard that old NIST report of the economic impact of fixing bugs by software phase. Whether you have or haven’t, it’s common sense that bugs caught in earlier stages of development require far less time and effort to fix and are thus exponentially less costly than bugs caught in a runtime environment.

We now shift automated testing left to catch bugs earlier with code linters and unit and integration testing, so developers can address coding errors and infrastructure specifications before they are fully baked into integrated code. So naturally, the same economic principle should apply to securing our software as early as possible. Security flaws are just another kind of software bug.

Still, security adds another dimension. It’s not just about the cost of labor—from both security and engineering teams—to remediate security flaws; it’s the risk of an exploit being introduced and escaping into production and the enormous potential costs of a resulting security breach.

Read the entire BrainBlog and download the Infographic from Bridgecrew here.

SHARE THIS:

Principal Analyst & CMO, Intellyx. Twitter: @bluefug