4 Recommendations for Integrating Security in DevOps

August 14, 2017 Jason Sabin

Every company is looking for ways to speed up development while incorporating the appropriate level of security. Organizations are successfully doing this by taking a DevOps approach, which increases agility in many areas namely security, IT, and development. But this accomplishment doesn’t come without challenges.

For some, deciding to take this new approach comes with fear because DevOps isn’t regulated or guided by compliance standards, like security is, says Andrew Storm, who spoke on a DevOps panel at RSA 2017. For others, they worry about how to incorporate security when the organization’s structure prevents change, or there isn’t a person to drive success.

Recent DigiCert research shows that organizations are already invested in incorporating security with DevOps: 49% of organizations surveyed said they are in the process of integrating security with DevOps and 49% said they already completed their integration. The new report also discusses some of the obstacles and solutions for companies, and provides four recommendations for enterprises who are integrating or plan to integrate security solutions into their DevOps initiatives.

Today, I want to offer more insight on our four recommendations.

1. Appoint a Social Leader

Integrating security priorities with a DevOps methodology means making some structural and ideological changes for most companies. And as with any change, it is hard to move past an initial concept if there isn’t one or many people driving the shift in culture.

As Christopher Mims at the Wall Street Journal puts it, “In an age of rapid disruption by the software and tech industries, a leader has to pick up the tempo and make risker bets sooner…or else.”

Identify an individual or several people at your company to be the change agents, and they can define changes that will affect IT and Security teams as security becomes a part of the DevOps approach. These social leaders are often from IT and Security and will help move the transition along. Most importantly, they own the responsibility of championing the cultural shift for successful SecDevOps.

2. Bring Security to the Table

DevOps can reduce security risks in software development when security is implemented correctly. A security expert must be involved in the integration process and get a seat at the table. Appoint a security lead to each DevOps initiative and get all teams involved from the start. This will give you the chance to get buy-in from each team and help everyone understand the changes.

Some security best practices include controlling access, requiring signing and encryption for all projects, automating PKI, and doing vulnerability scanning, patch management, static source code analysis, and threat modeling.

3. Invest in Automation

Streamline the development process so it includes security processes, and automate where you can.

Maintaining good security posture in a network must include proper authentication, encryption, and identity to ensure integrity. PKI certificates deliver on these three key components.

Certificate management can be difficult to track in high-speed development environments. Investing in automation once parameters and controls are right, is key to achieving appropriate, consistent security controls in DevOps.

You can avoid running into problems with certificates during production stages by including digital certificates in containers, as well as development and stage environments. This will help ensure certs are correctly configured from the beginning of a project. Automate security configuration, including digital certificate deployment.

Using the DigiCert API, security and IT teams can automate requesting and provisioning a certificate for each new project. There are many certificate options available, depending on if your use-case requires public trust or private PKI. Our API integrates with third-party applications and tools. For example, we recently partnered with Venafi to offer another way to make certificate deployment more convenient. Automation increases usability and makes PKI easier to manage for IT teams.

Teams can take more steps to automate in more areas, namely vulnerability scanning and patch management. Automate vulnerability scanning for containers and build artifacts to learn about potential security risks sooner. Consistent and up-to-date patching is critical for ensuring security but it can become time-consuming. By automating patch management, this process becomes fit for fast development environments.

4. Integrate and Standardize

Once security practices are in place, you’ll want to implement the right controls for processes and platforms to fully integrate and standardize the way your DevOps teams will run. The more integrated your processes and tools, the more visibility you will have into the development lifecycle.

Applying these four recommendations to your security and DevOps integration will help any organization find the balance of agility and security. For more information about making security agile, download our full report. If you would like more information about our PKI automation solutions, email us.

Previous Article
How to Build a PKI That Scales: Public vs. Private [SME Interview]
How to Build a PKI That Scales: Public vs. Private [SME Interview]

In our first interview with Darin Andrew, Senior PKI Architect at DigiCert, we learned to keep the next 5–1...

Next Article
How to Build a PKI That Scales: First 3 Considerations [Interview]
How to Build a PKI That Scales: First 3 Considerations [Interview]

In this interview with Darin Andrew, Senior PKI Architect at DigiCert, we pose as the head of engineering a...