Security means money, especially when it comes to software development.
In 2018, the average annual cost of cybercrime per company was $11.7 million. And the amount of cybercrime is rising, as is the cost of each breach. How can you protect your company from losing money to cybercrime lawsuits?
DevOps is a multifaceted practice. Security is just one of the elements that engineers need to consider. To get security right, organizations need to have effective security practices in place.
Top performing companies know that security requires good person-to-person communication, documentation, audit trails, and swift action from your team. A first-class security reputation reassures your team and clients that there will be fewer roadblocks, less waiting for approvals and faster speed to product deployment. All of this translates to higher revenue and return on investment.
For those not responsible for leading a team or business, security can seem abstract. But, there are significant financial ramifications for ignoring good security practices.
The bottom line… security matters for everyone
Interestingly, an organization can suffer more from reputational damage than from an actual hack, leak, or lawsuit. For example, a negative news story could dissuade prospects from using your product. While a company might be able to afford the lawsuit, it can be hard to calculate the damage to your brand and market share.
This problem is so prevalent that even the largest tech companies realize they can’t do it all themselves. For example, Facebook’s Mark Zuckerberg has called for government regulation and assistance. When trust in digital products dies, it becomes everyone’s problem.
In fact, if current trends continue, trillions of dollars could be lost in the digital economy over the next half-decade due to cyber attacks and loss of trust.
Why security matters more in DevOps
DevOps is one of the key practices enabling rapid and high-quality product development. And in the modern world, it’s hard to imagine any high-quality product not being secure.
Since DevOps is implemented by some of the best software engineers, it only makes sense that security should be in their top priorities. When implementing DevOps, engineers should constantly be looking at the architecture and infrastructure in order to find holes in security.
The best DevOps teams allocate more resources to security concerns because they realize that there is a connective feedback loop between speed, performance, and security. These proactive measures help high-performing DevOps teams spend half as much time remediating security issues when compared to DevOps teams with poor implementation.
While DevOps places a high priority on security, it’s not always easy to implement. What are the practical challenges that DevOps faces with security?
Challenges employing DevOps security practices
Organizational change can be hard, especially if it means admitting mistakes made on security in highly sensitive fields like healthcare. Here are some of the key challenges leaders face when addressing DevOps security:
- Communication. Creating a secure working environment requires effective communication between your security team and your clients. However, your customer has their own rules and processes, which can slow down the fix significantly. Sometimes teams wait two or three days for permissions when the fix took minutes or even seconds.
- Privileged knowledge. Some jobs require passwords from the production environment or data from secure databases. It’s essential to find ways to create information flow from the production environment while respecting privacy.
- Sensitive information. You always need to protect sensitive information, especially from clients. There are two schools of thought on sensitive information: on the one hand, it’s not your problem, it’s the client’s. On the other hand, you’re the expert, and you need to be able to prevent leaks — or at least educate the client on how to protect themselves.
- Establishing a security framework. You need to analyze and imagine how your product can be hacked, broken into, or damaged. New techniques and vulnerabilities emerge every day which make this process difficult.
- Analyzing and estimating potential harm. There is a simple rule that helps determine security investment: the possible harm should be more than what you spent on ensuring security. For example, if you’re trying to hide an apple from your sister, you don’t need to keep it in a safe. There are much cheaper ways to protect your apple. And even if she finds it, it’s not a big deal. Similarly, you have to weigh risk vs cost when looking for security holes.
Now that we’ve discussed the challenges, how can you shield your organization?
What do good DevOps security practices look like?
An absolute minimum in security is the Secure Software Development Life Cycle (S-SDLC). It defines a number of steps for ensuring security in every project. That way when there are no requirements, you have a base level of security.
S-SDLC ensures the organization has a good picture of what measures are taken by each staff member in regards to security. The life cycle framework helps the team understand how their actions affect security and how your staff view communication and their responsibilities.
Security also enables faster deployment. For example, suppose you’re developing a .NET or .NET Core application, and the client wants to deploy it using Azure containers. You can use a new feature like flex volume, and all your sensitive information will exist in Azure Key Vaults. Flex volumes will automate retrieving the information from Azure and ensure you’re not putting it into insecure folders — making the process faster and more secure.
DevOps is a crucial point for security concerns
No matter how carefully you develop and test, there are always security risks. Strong DevOps practices are the last defense in security.
Prioritize the components of DevOps that are crucial to security. These components include frameworks, communication, and documentation. When you put security first, your team benefits from risk reduction, faster iterations, and better products — which all lead to higher revenue.
In his role as CTO Max is responsible for guiding the strategic direction of Coherent Solutions’ technology services. Max has over a decade of software development and technology management experience. He is an accomplished architect and an expert in distributed systems design and implementation. Max holds a master’s degree in Theoretical Computer Science from Moscow State University