As seen in a recent DigiCert report, an overwhelming majority of companies believe that an integrated security and devops team makes sense. In fact, 98 percent of survey 300 US respondents (a third from IT or security) are either planning to or have already launched such an effort.
This is good, if unsurprising, news. For years, I’ve been saying devops is really devsecops, and so have many others. Most enterprises are now following that lead.
But it took years to get here. Why? If you don’t have people, tools, and processes focused on security, you’re not providing systemic security at platform, application, and the data levels. Enterprises are now getting hip to this fact.
As enterprises move to the cloud, they are taking advantage of the centralized nature of public clouds and exploiting the security subsystems that exist there. However, it’s one thing to have a security service available, and it’s another thing to intelligently integrate those cloud security services into your application development and operations processes.
By integrating security into devops, I am talking about security testing, such as penetration testing, within the devops process and using the ability to check for other vulnerabilities at the time of deployment, as well as at the platform, application, and data tiers within the workloads.
A big bonus is he ongoing improvement of security within the devops process, in which each time a workload goes through a devops process, it becomes more secure than it had been.
In other words, integration of security into devops results in being much more proactive around security and always looking to improve security. Security needs to be systemic to all things cloud. And, in essence, devops teams become the first line of defense for what’s placed in the clouds for production, as well as how secure those production workloads are.
The integration of security teams, processes, and tools into devops is more than common sense, it should be mandatory for all enterprises moving to devops and cloud computing—which is pretty much everybody now.