DevOps represents “the end of security as we know it” but also a fantastic opportunity to build security into products including IoT technologies right from the start of the development lifecycle, experts have argued.
Speaking on the keynote stage at Infosecurity Europe 2015 in London on Tuesday, Sophos global head of security research, James Lyne, argued that DevOps itself is a product of IT teams working more closely and empathetically together.
In doing so, they can “eliminate gaps in communications” and “avoid nasty surprises,” he claimed.
This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.
This is because DevOps rapidly accelerates time to market, something security teams usually end up blocking and slowing down.
But if the IT security function can better align with DevOps then it can get involved earlier on in the lifecycle – which is the holy grail for secure application development.
As to how to engage, security should take the approach of “how can I help?” rather than tell them what they can and can’t do, according to Motorola Mobility CISO, Richard Rushing.
He argued that security and DevOps “need to get out in front of this problem” in the IoT space in particular, or risk a situation where the world is swamped with billions of insecure connected devices.
Lyne echoed these concerns, arguing that the prospect was “terrifying as a security professional.”
“I’m deeply concerned we’re being too cavalier about these deficiencies,” he added.
Corman advised infosecurity professionals read The Phoenix Project to familiarize themselves with DevOp terminology and to go to conferences to really understand what “makes them tick.”
Throughout, the role of the security guy should be “ambassador/translator rather than traffic cop,” he added.
Making a greater effort to understand DevOps could also have a hugely positive effect on information security professionals’ career paths.
“It will build your knowledge of the low level architecture of operating systems, applications and so on so you can find flaws more effectively,” Lyne argued. “It’ll help you learn and expand as a security professional.”