SecDevOps: Fitting Security into the DevOps Methodology


8 / 206



Agility is now an unavoidable necessity in a fast-moving technology environment, but achieving it is often presents a huge challenge for companies and their development teams. The DevOps methodology offers a solution, but following it is not always easy.


Even more crucial than the need to transform the development process is the need to protect against increasingly sophisticated cyber attacks. While it may not seem like it at first glance, these two tasks are not worlds apart.  Some organisations are now finding that agility and security can go hand in hand.


SecDevOps is a novel approach to development that puts security right at the centre of DevOps by integrating it right into to the development cycle itself.


Traditional DevOps automates software development, accelerating and honing the process to satisfy the needs of operations departments who require code that works immediately in production.


In contrast, SecDevOps automates the secure coding component of development to satisfy the needs of the security team who want to establish and maintain software that is immediately secure in production.


Merging Security and Agility


According to CSO Online, SecDevOps is already becoming a top security strategy driver for information security officers.


Organisations such as the US-based brain research charity, The Dana Foundation, have found the SecDevOps approach to be highly effective. The result is a win-win: faster development cycles and more robust security.


The foundation’s Chief Information Officer (CIO), James Rutt,  told CIO Insight that he is primarily concerned with “code quality and code security”, with a particular focus on protecting against known code vulnerabilities such as cross site scripting and forgery.


The SecDevOps approach helped the company speed up its development process while reducing code vulnerabilities 40 – 50 percent. These figures provide a clear illustration of how security and agility can form a perfect partnership.



Building Security Into the DevOps Cycle


For years experts have been preaching that security should not be viewed as something that can  be simply bolted on after the production process. It needs to be built in. However, in the face of traditional, prolonged development cycles and a constantly changing security landscape, built-in security was simply not possible in the past.


As new versions of a software package were only released every couple of years, the security environment was always radically different by the time the updated version was released. Developers had no choice but to bolt on new security features.


In the world of DevOps, the software development cycle has become dramatically faster – so much faster that code development can now match the pace of emerging security threats.


Developers are no longer focused on fixing existing code to handle new threats. Instead, they are constantly building new code as part of the DevOps cycle. This means new security features are now built in as part of the development process.


This is exactly what the security community has been preaching all along.


Given advancements in business processes, SecDevOps is now an attainable goal. It is a natural and organic way to approach  security needs in the context of ongoing code development. This is very good news for businesses that are currently making the transition  into the DevOps era.


Discover why we’re different than other IT recruitment agencies.

Browse our latest IT jobs