3 Tips to Integrate Security into a DevOps Release Cycle


Dan Ennis CEO

What used to be described as accelerated time to market is the new norm and expectation for DevOps teams the world over. Today’s DevOps approach to rapid software releases are in direct conflict with the review, test and monitor tactics of security practices.

Within information security, web application security is at the greatest odds with DevOps. In the modern threat landscape, protecting the application layer and testing it for vulnerabilities is critical. However, even with the multitude of security methods and solutions, InfoSec has not kept pace with the paradigm shift in software delivery over the past few years.

Below are practical tips to enable a modern approach to web security that connects development, security and operations.

1. WAF updates should be considered as any other change to the application code: Organizations who strive to keep their WAF updated require a tremendous amount of operational effort, developer/security interaction, WAF reprogramming and testing. Since the WAF is so tightly integrated into the application and influences its functionality it should be seen as an integral part of the application as far as the development and release process.

2. Ensure that DevOps and Security teams have mutual goals and accountability: DevOps and security tend to have conflicting goals within the organization. DevOps is focused on meeting aggressive time to market deadlines, whereas security is focused on releasing secure applications with minimal vulnerabilities. Developers are responsible for secure development, but not security, while the security team may extend time to market and are not committed to the same deadlines as developers. This conflict of interest introduces friction, reduces accountability and influences organization politics.

3. Reduce the attack surface: Cloud-based WAFs like Trusted Knight’s Cloud-DMZ significantly reduce the attack surface of web applications by decoupling static content from business logic requests. Security rules are only needed to protect a small percentage of an application while the rest is removed from the attack surface. Cloud-DMZ requires a significantly lower amount of programing and maintenance, meaning that DevOps and security teams can spend less time on managing security and can focus on product and innovation.

There is a clear need for collaboration, communication and to tear down traditional IT silos and integrate security into the release cycle. To learn more about how to enable agile web security, view our on demand webinar webinar. Click here to view.