DevOps generally means integrating software development (dev) and information technology operations (ops) to speed the lifecycle, deliver better features, updates and fixes, and more. What’s sometimes missing from this perspective? Security. Here’s a description of how to bring security fully into this picture, and integrate it all the way from design, through development and test, and into production.
By Wikipedia’s definition:
DevOps is a set of software development practices that combines software development (Dev) and information technology operations (Ops) to shorten the systems development life cycle while delivering features, fixes, and updates frequently in close alignment with business objectives.
Most experts agree that DevOps actually combines three key ingredients:
According to The DevOps Handbook, the real essence of DevOps depends on “applying the most trusted principles from the domain of physical manufacturing and leadership to the IT value stream.” It goes on to mention a slew of bodies of knowledge that include Lean, Theory of Constraints, resilience engineering, learning organizations (continuous learning and continuous improvement)Kiu, safety culture, human factors, and more. On the leadership side, it cites to high-trust management cultures, servant leadership, and organizational change management. DevOps isn’t just a combination of Dev and Ops, it’s actually an entire frame of reference for doing development and IT correctly, responsibly, and repeatedly.
Where Does Code Security Come Into DevOps?
The short, flippant answer to this question is correct, but overly brief – namely “Everywhere.” That is, security has to be part of the process used for DevOps, it has to be built into the tools used to do DevOps (or make it happen), and, above all, it needs to be high up in the minds of the people involved in DevOps.
Kiuwan offers a way to bring security in throughout the entire DevOps lifecycle. It offers the ability to scan code for vulnerabilities and even to automate relevant remediation (where available). But because the Kiuwan tools integrate with various well-known development environments, this makes scanning code for security vulnerabilities, adoption of security coding standards, and automatic error prevent part and parcel of the development, test, and update/maintenance processes across the entire lifecycle.
Kiuwan’s IDE integrations encompass the following families and items:
Thus, organizations gain lots of traction to build security (and code scanning) into all phases of their development, maintenance, and deployment efforts. This is why some refer to the most productive mindset in this arena not simply as DevOps but rather as DevSecOps to put security on par with the equally important frameworks that help to formalize and codify the development and operations pieces of this overall puzzle.
Why not contact Kiuwan and ask them how they can help you put the Sec into DevOps? Or, you may want to start by downloading the company’s excellent little eBook 4 Steps to a Better DevSecOps Process.
