What is Secure DevOps?
I recently led a panel discussion at the 2017 IBM Interconnect conference on the topic of Secure DevOps. Here is an excerpt...
For many, the notion of security and agile are polar opposites, because security is viewed as heavy and process driven, while agile and DevOps are streamlined and focused.
The determination of whether security is an inhibitor to DevOps or an influencer of good outcomes of DevOps development depends heavily upon two things: (1) how teams approach security design, and (2) how the sprints are organized and the backlog is managed.
Let's take the second item first... transitioning user stories in the backlog to active state is done when the all the prerequisites are filled, and the team is prepared to perform the coding, integration and testing. A project often has many user stories. The user stories may focus on business logic, user experience, middleware, back-end integration, etc. Proper backlog management includes scheduling sprints in the sequence that will produce demonstrable function for the Iteration.
Now focusing on the first item... each type of user story has some functional security implication(s), such as, user management, session management, input validation, privacy, privileged users, etc. The user stories with externally facing functions also need to be resilience (or immune) to malicious behavior of bad actors. The user stories with middleware facing or back-end facing function need to ensure that upstream components and API requests operate on application data appropriately, and avoid risky actions that may lead to exposing sensitive data.
This leads to the observation that Agile breaks work into chunks, and each chunk requires preparation for security. If the backlog manager schedules a sprint for a User Story before the security preparations are complete, then everyone says that security is the hold up. If the backlog manager schedules a Sprint for a User Story when the security preparations are complete, then there is no hold up.
The latter approach considers the sprint as the production line, where all the raw materials must be available when assembly begins. It also places new expectations of security professionals to do more than give opinions and find defects. In this structure, security professionals are responsible for doing the work needed to provide design patterns, code exemplars, just-in-time advice and test cases for the sprint team.
As shown on the attached graphic, a successful integration of Security and Agile requires three things: (1) a general sequencing of the Backlog, (2) a Security Design activity of the backlog that produces the guidance and artifacts needed to efficiently complete the coding, integration and testing activities in the sprint, and (3), a backlog management approach that organizes and launches the sprints when the prerequisites are filled.
Here is a link to the full whitepaper on Secure DevOps.