There’s little disagreement that security should be baked into every step of the DevOps lifecycle. In fact, there’s even a name for it: DevSecOps. So, why isn’t its adoption more widespread? Well, as things turn out, there are quite a few challenges to DevOps security.
The Challenges To DevOps Security
Here are just a few of the challenges to DevOps security:
Focus on speed
The driving force behind DevOps is the need for speed. As you can imagine though, speed and security don’t mix too well. From BeyondTrust, “DevOps pushes and modifies batches of code over very short time frames (hours or days), which may far outpace the speed at which security teams can keep up with code review.”
Inadequate skills
It’s hard enough to find DevOps expertise. Try finding DevOps and security expertise in a single developer. From Software Secured, “Talent acquisition becomes a really tough problem in this new environment. [I]n some organizations, I’m seeing companies hiring developers and teaching them security because they find that easier than to take traditional security people with experience and to try to pull them over into this new world of new IT.”
Implementing security in CI/CD
Security used to be “bolted on” at the end. That doesn’t work with a CI/CD pipeline. Security must be a part of the pipeline. From CCSI, “Integrating security into the pipeline can be challenging. Security risks can arise during the integration stage until the DevOps model is fully implemented and running.”
In addition to the above-mentioned challenges, there is also cultural resistance to security, poor privilege access execution, inadequate controls, and collaboration challenges.
DevSecOps Best Practices
How do we address common challenges? With best practices. Here is a list provided by Fortinet for DevSecOps:
- Embrace a DevSecOps model
- Enforce policy & governance
- Automate DevOps process and tools
- Perform comprehensive discovery