The concept of DevOps and agility is nothing new for most companies and developers circling the sun. The most well-known frameworks (e.g. Scrum, XP etc.) are applied in many development teams and lead to many benefits for teams, companies and customers. Evidence shows that agile methods cause better performances in comparison to the outdated waterfall method. For many companies, the outdated waterfall method is the largest contributor to project failure. Another problem with traditional step-by-step programming is that products do not exactly meet customers’ demand and need to be redesigned, which takes time and costs money. Through DevOps, development teams work closely with the customer and adjust fewer things at the end of the project.

SecDevOpsyH5BAEAAAAALAAAAAABAAEAAAIBRAA7 SecDevOps  -  No Agility Without Security

Concluding, we have put together four major benefits from using DevOps:

  1. Adaptability: With shorter development cycles, software engineers have the possibility to make changes to the product at many later stages of the process than with traditional methods. And through continuous testing and verification, progress can be deployed earlier.
  2. Collaboration: Through agile methods (e.g. Scrum), developers are forced to work together more closely since they report to the Scrum-Master and Product-Owner every 24 hours. This leads to lower communication barriers and better, more frequent knowledge exchange.
  3. Transparency: In the waterfall-method, customers only get to see the product once it’s finished. Through agile methods, customers can engage in the process and share feedback after every new development cycle. Additionally, the Scrum-Master has a higher knowledge of the project status since update meetings happen frequently.
  4. Efficiency: DevOps enables development teams to figure out existing problems at a much earlier stage of the project since the new feature is implemented shortly after their creation. Companies can save time and money that way. Additionally, they create more value for the customers strengthening their competitive advantage in the long run.

…but DevOps bears a risk:

The goal of DevOps is to create and integrate more features in a shorter period of time. The risk that comes with this agility is that new versions’ security testing is only applied at the end of the project or after major releases. Since testing takes time and resources, developers often do not write their own security tests for the software. That is why many companies release new versions of the software without prior security testing. Especially in the area of web applications, these untested versions become a prime target for hackers. This lack of continuity in security contributes to the 30,000 websites that are hacked every day.

Now the question arises: How can companies leverage the potential of DevOps while also creating secure software?

dilemma SecDevOps  -  No Agility Without Security

The trade-Off between Security and Agility (?)

On the one hand, higher agility leads to a higher production speed and more features in a shorter period of time. However, this might lead to complexity — the enemy of security. On the other hand, security is necessary to protect a business but takes time to implement — which is the agility enemy. So how are companies able to combine the two? We want to share a few practices to consider when integrating security and agility to create SecDevOps.

  • Security shouldn’t be seen as an additional layer put upon DevOps after every deployment but rather as a continuous practice that needs to be thought of from the very beginning of every development cycle.
  • Development teams need to reconsider existing processes and practices. Every application or tool needs to be thoroughly checked, whether it negatively impacts the companies’ security. Perhaps additional tools need to be implemented to monitor the security status of a project.
  • To fully implement security into every corner of the company, Executives have to make sure that a “Security Culture” is lived in every department of the organization.
  • As it is neither sufficient to solely think of security at the beginning of the end of a development cycle, developers need to have it in the back of their mind at every point in time. This can be quite exhausting if there are multiple projects to handle, and the security needs to be checked manually. A simple solution is the implementation of an automated security testing tool. The Crashtest Security Suite offers an automated security scanner that continuously checks an application after every deployment to the test system. That way, developers can concentrate on creating features that actually create business value.

Scan for free now

Benefits from IT security

We have already shown how companies can protect what they created using DevOps. Additionally, to the support that comes with security, there are a few aspects that are only possible by integrating SecDevOps. Below, we have put together three major benefits of implementing IT security.

  1. Enhanced Productivity: With an integrated security framework, developers are enabled to work more efficiently. Every iteration of the product is secured, and there has to be no worry to spend on security once the project is close to being finished. Additionally, if the entire IT infrastructure is safe, developers can work from anywhere with their own computer without concern that a single computer can lead to a hacking attack (e.g. by entering a public Wi-Fi).
  2. Data Protection: After the employees, data is the most valuable asset for any company. Data is what leads to customer insights and higher business value. Losing access to business data (e.g. through a ransomware attack) can decrease productivity or even freeze the entire IT infrastructure (as with the Sony example). It might lead to direct costs since most companies decide to pay the ransom. A loss of customer data can be even worse since a lack of customer trust has a high impact on sales in the long run.
  3. Cost savings: The benefits above already lead to (in-)direct cost savings. Additionally, implementing IT security saves money since the cost of fixing a vulnerability is ten times higher than the cost of securing the application in an earlier stage. As 2018 brought up the GDPR standards, companies also have to be compliant with the regulation to avoid high penalties and the public exposure of vulnerabilities that (probably) lead to decreasing sales.

If following the suggestions above, companies can enhance productivity and business value by implementing SecDevOps. Read in our WhitePaper how your company can quickly implement these other efficient security best practices!