From Months to Minutes, Deploying with DevOps

Less than a year ago, I made the decision to retrain in IT. I was excited but not exactly sure where I would fit into this vast and constantly evolving space. I want to add concrete value to people’s lives, to build secure assets and work in an environment where I can communicate and collaborate with colleagues. I want to continuously learn, improve and look forward.?

Reading industry reports (a more raucous Saturday night) I learned about the differences between elite DevOps practitioners and more traditional approaches. The elite practitioners demonstrated:

• 6570x faster from first code saved to app going live
• 973x more frequent app deployment / roll outs
• 6570x faster to recover from failure
• 3x less likely to fail during changes

These are not typos. I checked. What would traditionally take months, now takes minutes.?

So what is DevOps? What about DevSecOps??

Each model is composed of three teams; developers, operations and security. Each has different roles and priorities.?

In the beginning there was development, operations and security as three separate teams. Developers built, finished their work and sent their software to the operations team. Operations would have to overcome compatibility issues and bugs with them no longer being the developers’ problem. Security would try to ring fence the vulnerabilities at the end. This siloed approach had a number of flaws; distinct, siloed teams with clashing priorities would create buggy apps, typically with no security by design, that take inordinate amounts of time to develop and deploy.

DevOps merges development and operations into one team, enabling collaboration and communication through collective responsibility. Security is embedded at every stage of production. There may be security champions in the DevOps team but there also remains a separate security team with a governance function. DevSecOps integrates all three together.?

[Source Mercari]

The potential upsides are huge; quicker releases, faster bug fixes, more automation and potentially improved security. Potentially. Depending on implementation.?

A less rosy report shared:

• 95% of organisations reported applications were attacked successfully?
• 66+% lost data or critical services as a result?
• 79% said the DevOps team was under pressure to shorten release cycles?

and?

• 55% organisations sometimes skip security scans to meet deadlines.?

A risk of DevSecOps is that security becomes a resource rather than a governance feature with vetoing power, subject to the sway of ever increasing time pressures. This can lead to quicker releases but with more mistakes, and more costly mistakes. Ultimately, whether the journey from DevOps to DevSecOps is right for an organisation depends on its security posture, its risk tolerance and the degree to which it embodies the principles and pillars of secure DevOps and DevSecOps.?

Different Approaches

For the Cloud Security Alliance, a DevSecOps approach rests on 6 pillars of reflexive security. The approach should:

• ?Enable collective responsibility: Living and breathing "security is everyone's responsibility"
• Be pragmatic: Security should enable, not block, business function.
• Align and bridge: Policy should be unified and consistent bringing alignment and harmony to different departments.
• Automate: Where possible, remove human input.
• Measure and improve: Performance that cannot be measured cannot be improved.
• Collaborate and integrate: people must feel comfortable sharing information, alerts and working together in a culture of trust.

The Department of Defence’s 4 pillars of DevSecOps approach from a different angle addressing people, processes, technology and governance. It includes:

Organisation

• Culture shift & buy-in
• Communication and collaboration
• Security & QA at every phase
• Feedback and user driven change

Process

• Collaborative design
• Test driven development
• A continuous build pipeline leading to continuous
• Integration, delivery, deployment, operation and monitoring.
• Automate authority to operate as much as possible

Technology?

• Tool adoption
• Cloud and containerisation
• Infrastructure as code
• Security as code

and?

Governance

• Uniform policy enforcement
• Data driven validation
• Learning, high-trust culture
• Next generational governance, i.e. accountability, transparency, adaptability, automation and discipline.

As I deep dive into each topic in DevSecOps, developing my knowledge and practice. I’ll be posting my notes. If you’ve made it this far, leave a comment or a question. What made you think? What topics would you like to hear more about? Is there anything I’ve missed or mistaken? Let me know!