Building security into design with DevOps

By CyberArk

Jeffrey Kok, Vice President of Solution Engineers at CyberArk, explains why security should be a part of DevOps.

There is a perennial tension between agility and security.

As governments look to provide scalable and reliable services quickly, they are turning to a cloud native architecture and a common stack for a more seamless transition from development to deployment. At the same time, there are worries that security is unable to keep pace with development.

Agility and security is not a zero sum game, however. If done well, government agencies can make systems more secure with DevOps by designing security right at the development stages.
 

First, what is DevOps?


DevOps is a collection of tools to create a common culture and language between developers and operations. It provides means of automating and running many disposable, short-lived applications that function on a common operating system.

Coupled with a cloud first approach, DevOps will allow the public sector to build minimum viable products that can be improved and adjusted quickly. This is opposed to the classical model where development is done in a linear and sequential manner.

Governments in the region are increasingly moving towards a modular development when it comes to digital services. Singapore is using CODEX to quickly roll out new services using a standard interface. Over in Indonesia, the West Java region is looking to build microservices which are easily scalable.
 

Achieving agility and security with DevSecOps


Traditionally, cybersecurity is not involved in the development stages. Instead, it is added in as a final barrier of entry to hackers. And in today’s agile environment - where they are multiple points of entry - this approach is unsustainable.

Experts have consistently maintained that security has to be involved at all development stages to build a robust product. But for many organisations, security is only brought in at the tail end. In a 2018 Threat Landscape Survey by CyberArk, four in ten said security teams are brought in only at the end of each development. On top of that, only half of these respondents agreed that security is integrated into development.

DevOps is simply put the marriage of development and operations. And security can also be easily added to the mix to form DevSecOps. Designing with security in mind means organisations will be able to introduce security early in the process, and increase the security of the code when the product is finished.
 

Increasing transparency with security by design


With security integrated into the system itself, teams will be to streamline operations and implement uniform security standards across the pipeline. It also means changes to the system can be detected quickly.

The agility that DevSecOps provides allows teams to react quickly to emerging threats. But this also requires a mindset change where there is no longer a separation between development, security, and operations. Instead, work in all three areas are built on the same principles of collaboration and responding to change, DevSecOps demands that security and DevOps work closely together from the very beginning and throughout development, testing, and deployment. Cyber security is, after all, a concerted effort across the entire organisation, and not just the responsibility of the IT guys.

Jeffrey Kok is Cyber Ark’s Vice President of Solution Engineers, for Asia Pacific and Japan.