Traditionally, the development side of an organization has viewed security and compliance as a very rigid group that has interfered with the DevOps effort inside the organization because of their calls for separation of duties and documentation requirements. On the other hand, the security personnel/teams have viewed the development side as very risky, because of the increased number of software releases, which have been seen as a risk to governance and security.
What organizations who have moved forward with DevOps have discovered is that the fears of the security personnel have been mistaken, instead it has been shown that DevOps practices actually mitigate potential security problems, discover issues faster, and address threats more quickly. These findings have led to more and more security teams adopting automation and DevOps practices. Many individuals/teams in the infosec space are increasingly coming to view DevOps as their security blanket in order to better enable and enforce security, compliance, and audit requirements, which has flipped the traditional view of DevOps from being a threat to a resource.
In DevOps currently, organizations are more and more aligning their InfoSec with their DevOps initiatives and seeing security requirements becoming an integral piece of their DevOps practice.
DevOps Security and Compliance Benefits:
Security testing shifted left – DevOps organizations have incorporated
automated security testing early in the delivery pipeline and not as an afterthought just prior to delivery to production or worse yet after releasing to production.
Drift Elimination – The more tests and processes that are automated means the less chance organizations have of introducing security flaws due to human error.
Pipeline lockdown – The delivery pipeline becomes a locked down process that the organization controls in all phases of delivery.
Coordination – Through the incorporation of security tools and tests as part of the delivery pipeline, InfoSec becomes a component of the delivery pipeline.
MTTR Improvement – When the unfortunate security issue is detected,
DevOps accelerates the lead time, so that organizations can develop, test, and deploy a patch/update more quickly.
Enable developers without risking governance – The automated delivery of environments and data allows developers a self-service opportunity while at the same allowing for access control and compliance.
Infrastructure code security – DevOps requires that infrastructure code be stored in an SCM just like application code, which enables the creation of manageable systems which are consistent, traceable, and repeatable.
Superior compliance reporting- A DevOps automated delivery pipeline has access to a tremendous volume of information that is automatically logged in great detail. As this information is logged, it is in reality becoming the audit trail, security log, and compliance report, all of which are produced automatically, with no manual steps or long hours tracing the processes and actions to produce the compliance report.