Google has been at the forefront of the DevOps movement, signified by the release of the seventh annual 2021 Accelerate State of DevOps Report by the Google DevOps Research and Assessment team (DORA). It covers many factors found in top-performing organizations that contribute to DevOps success.
The points include how they manage to lower lead times for changes, incorporate site reliability engineering (SRE) best practices to gain higher performance, move more workloads seamlessly to the cloud, improve software quality using documentation, and develop a dynamic and engaged team culture. Researchers also highlighted how important it has become to integrate security practices into DevOps throughout the software supply chain.
According to the report, “as technology teams continue to accelerate and evolve, so do the quantity and sophistication of security threats.”
Last year, for example, Tenable’s 2020 Threat Landscape Retrospective Report showed that more than 22 billion records of confidential personal information or business data were exposed. That has created a climate where security can no longer be an afterthought.
The need to incorporate security into DevOps practices
The time-honored custom of building the app and then making security features the final step before delivery doesn’t work anymore. Instead, security must be integrated throughout the software development process—hence the growth of SecDevOps in parallel with DevOps.
The DORA report makes it clear that in order to securely deliver software, security practices must move as fast or faster than the pace of the ploys and strategies devised by malicious actors. Researchers used the example of the 2020 SolarWinds and Codecov software supply chain attacks.
Such broad-reaching hacks are becoming more commonplace, and more hackers are learning to bypass the old model of compromising one enterprise system. In the SolarWinds example, the hackers figured out how to compromise SolarWinds’s build system and a Codecov script. This enabled one hack to be multiplied effortlessly by embedding malware into the infrastructure of thousands of SolarWinds and Codecov customers.
“Given the widespread impact of these attacks, the industry must shift from a preventive to a diagnostic approach, where software teams should assume that their systems are already compromised and build security into their supply chain,” said the report.
Top industry performers Integrate DevOps and Security
To drive the point home, researchers stated that a small percentage of elite performers who are achieving the most business success and agility courtesy of DevOps excel at implementing security practices. The top performers had security better integrated into their software development process than less successful rivals. This enabled them to accelerate software delivery while maintaining a high level of security and reliability.
Further, those teams judged to be in the top bracket on integrated DevOps security are 1.6 times more likely to meet or exceed their organizational goals. The conclusion is clear.
“Development teams that embrace security see significant value driven to the business,” said the DORA report.
How to Enhance DevOps Security
The report also included tangible steps businesses could take to securely improve their speed of software delivery and its impact on business results:
- Testing: It is vital to thoroughly test security features as a part of any automated testing process. This should include areas where pre-approved code should be used.
- Integrate DevOps and security: Security needs to be made part of the daily work of DevOps throughout the software delivery lifecycle. This should also include the design and architecture phases.
- Review security: Security reviews are needed for all major features.
- Pre-approved code: Pre-approved, easy-to-consume libraries, packages, toolchains, and processes bake security into commonly-used coding elements, thereby reducing the burden on developers and IT as a whole.
- Planning must include security: Even in the earliest planning stages, it is vital to pay attention to potential security weaknesses and allow enough time to fix them.
Read next: Best DevOps Tools