Security maturity of software during DevOps adoption
Created by Viswanath S Chirravuri

Security maturity of software during DevOps adoption

Viswanath S Chirravuri Viswanath S Chirravuri

Viswanath S Chirravuri

Published Oct 29, 2019
+ Follow

CONTEXT

I always wondered whether I was the only one who felt declining maturity in security of software with the adoption of DevOps. Looks like, no! There are many security people who felt the same. But after some research I understood the meaning of a true DevOps transformation.

INTRODUCTION

Companies, project teams, poeple, talking about DevOps, are thinking about cultural change, automation, measurement and sharing. In the process, developers, operations guys, security people, management, etc. everyone felt the heat of the transformation.

WATERFALL MODEL

Legacy waterfall models had security activities done with good support of brain and heart working together for software dev teams. So, we (security people) were quite happy back then.

AGILE METHODOLOGY

Moving onto Agile methodology, I noticed security activities took bad shape, thanks to focus on speed of development and automation, rather than truly understand the software context and business functionalities. But later, when Agile practices were starting to become mature, we (security people) started breathing normally again.

DEVOPS TRANSFORMATION

Now enter the DevOps, where every star on the galaxy (microservice) is a rapid delivery continuously to solar system (production). CI/CD! Pipelines! And therefore, a big drastic hit to our security activities. We (security people) were clearly seen as blockers to DevOps transformation in the company. Then I started to realize what DevOps adoption really mean. It's called a 'transformation' with a purpose.

  1. DevOps maturity model definitions (e.g. https://dsomm.timo-pagel.de/)
  2. Need for security activities definitions to evolve with maturity level (e.g. moving from "running a full length security scan" --> to "running an incremental scan with automatic false positives handling in a security scan")
  3. A lot more !

Then I actually noticed a true improvement in security in software, when DevOps maturity is at its highest.

CONCLUSION

In conclusion, DevOps adoption is good even from security perspective, but on a long run, when the software and project team and company has reached its desired maturity level. Else, if we are stuck at the beginning of DevOps adoption for longer periods, the company / projcet / software may be at critical risk of facing a serious cybersecurity attack.

To view or add a comment, sign in

More articles by Viswanath S Chirravuri

See all articles

Others also viewed

Similar topics

Explore content categories