I see a lot of startups, and even some mature companies, beginning to embrace the “DevOps” culture. DevOps is often described as the “continuous operational merger between developers and IT operations.” What I haven’t seen however, is the integration of security expertise into these DevOps teams. In fact, those organizations that claim to have a mature security program and also be “DevOpsy” have a completely separate security team outside of the Dev teams. Products are launched over the wall to be tested, and then returned with a passing or failing grade, along with a list of deficiencies.
What’s worse is that young startups, especially those that have accepted venture capitol are pushed to get the product out the door FAST! Furthermore, once the product is out the door, they need be adding new features, all the time. This causes a push to hire talent, just as fast. It’s rare that the interviews for these DevOps folks contain any questions to test the candidate’s application or systems security skills. This results in products that are built fast, and with minimal security features that are obvious to the non-security savvy DevOps teams. Over time, as the product gets built, and the business grows, there’s no time to go back and fix things that are “good enough” and working for now. This results in “TechDebt” and a software stack that is unstable, difficult to manage, upgrade, and change, and can present significant risk to the business. As the business grows, and the product changes, resolving the Tech Debt becomes more and more expensive.
DevOps and security DO mix. In fact, they go quite well together. Each DevOps team should have at least one security-minded expert to help with defining requirements, building security-related libraries and APIs, developing unit testing to catch security mistakes early in the product development stages, and setting up more rigorous security testing in the QA and integration environments.
Often times hiring security experts can be difficult and expensive. If your business is still in its earlier stages, it may be more effective to find someone to champion security on your team already and get them some training and guidance from experts like Electric Alchemy. You’re investing in your employees and growing the security community at the same time.
Gerrit Padgham
Principal Security Consultant