The State of Security for DevOps in 2020
Puppet sponsored this podcast.
If there’s a sign something in IT has moved past the hype, it’s not that digital organizations continue to adopt it, it’s that they continue to see better and better results. Both the most traditional and the most forward-thinking, DevOps organizations are seeing continually improved outcomes. This is especially true for so-called DevSecOps organizations. You know, the ones that bake security right into their people, processes, pipelines and code.
In this episode of The New Stack Makers podcast, TNS publisher Alex Williams sat down with Alanna Brown, director of product marketing at infrastructure automation software provider Puppet, and Charles Betz, an analyst with Forrester Research, to talk about the current state of security in DevOps. Brown is the co-author of 2019 State of DevOps Report — and of the previous six reports — while Betz is co-author of “Top 10 Trends That Will Shape Modern Infrastructure And Operations In 2020.”
Both have been actively analyzing the outcomes, practices, and cultural norms that improve performance and are driving what Google refers to as “elite DevOps performers,” as well as the rest of the orgs who are just trying to improve.
Brown says their goal is “to provide some really actionable insight for those people who are really struggling to change and adapt to this new world of software delivery.” Betz described DevOps as having a transformative impact on software engineering and systems development. He said it’s “sticky” and showing real results.
The clear trend reflected in both reports and expressed by both guests is that there’s been a remarkable tempo increase in particularly the last couple of years. But it’s not just speed. It’s about high quality, highly secure releases.
“The firms that have integrated security and are doing a really good job with that are actually able to deploy on-demand much more frequently than those that have not,” Brown said.
She argues that doing DevOps actually enables you to do security well. “If you’re already doing DevOps well, there’s a really strong chance that you have enough of a cultural and the technical foundation to support modern security practices,” Brown said.
These DevOps best practices include:
- Everything is put into version control
- Continuous integration
- Automated testing
- Automated deployments
- Standardized deployment patterns
Once all the above is in place, Brown contends that making a security change isn’t that different from making any other change. Organizations are not only deploying significantly faster, but Brown says that they see faster remediation time and they are prioritizing security improvements over feature delivery.
But Brown warns that this doesn’t come easily. The integration of security leads to “increased friction between teams” and a temporary slowdown.
Betz said Forrester sees a change in the operating model, moving away from what he refers to as “a focus on stage-gated delivery.” He said, “I don’t think people understand how thoroughly baked into modern operating models Plan, Build, Run thinking is and how harmful it is.”
Betz says this perpetuates the attitude that, when developers are finished their jobs, then security comes in. He says successful organizations have to support the opposite of this batch-based mentality — continuous flow of governance concepts.
There’s no doubt that security will continue to be an issue — systems and their threats are only becoming more and more complicated. Betz argues that continuing to put code first — pipeline as code, infrastructure as code, automated build and deployment, and constant versioning — will offer your best source of comfort.
And really, like all things agile and DevOps, it’s all breaking down silos and bringing everyone — including or even especially security to the table from the start.
Feature image by James Sutton on Unsplash.