By Carson Sweet
The rapid adoption of agile technology practices in recent years has made many security leaders squeamish. Viewed with skepticism for more than a decade, most executives believed agile development was a passing fad that lacked any real impact in the long run. It’s no surprise security executives have an instinct to pump the brakes as they witness their enterprises adopting agile technology practices, but they should fight the urge to resist.
It has become a competitive imperative to embrace agile in most cases—practices have improved quality and speed in go-to-market, boosted productivity of IT teams, and increased success rates in software development. I haven’t seen a CSO yet successfully stop the adoption of agile practices, but I have seen more than a few replaced after campaigning against IT agility.
Innovative companies incorporating security best practices into agile teams lead the way in terms of cybersecurity. Future leaders in the industry will focus on these three main areas: Security as a Service (SECaaS), automation, and DevSecOps.
Security as a Service
Today’s enterprises anticipate SECaaS—the ability for technology users to provision their own security—becoming the primary direction for the rest of technology. This is a major shift, but it is less about directly providing security deliverables and more about providing the ability for consumers to deliver their own security.
Take exposure management, for instance. In traditional settings, application owners would begin a project alongside the operations and security engineering team. That would allow exposure to be management licensed, configured, and deployed for a new application.
In the newer SECaaS model, that exposure management service already exists. It was built in compliance with the existing corporate protocols and technical standards. The application owners would activate the service through a self portal or other provisioning tool.
This not only creates a more effective security experience, because the application owner is less likely to shirk security concerns, it also creates more efficiency in the process. Both aspects are critical to security keeping up with the raw scale and speed of agile technology delivery. In terms of the multi-year transition, creating services that can be repeatable with minor tweaks is vital—greatly relieving the overhead of one-off projects for every application that’s migrated to an agile delivery model.
Agility creates a massive amount of compliance overhead and new security concerns for a number of reasons. So, when is comes to automation, the main issue is simply scale. Examples include
the adoption of cloud infrastructure means far more individual workloads, more broadly distributed, with a much higher rate of change.
Agile application development coupled with DevOps and continuous delivery impacts the release schedule—instead of quarterly and monthly rollouts, we’re looking at weekly or even daily releases. Consumerized, readily accessible Software as a Service and other cloud services result in an exploding number of locations that need to be secured and monitored.
The first step is recognizing that every example drives more work for security. To overcome the workload issue, the key is to lean heavily into automation for real success in an agile enterprise.
The purpose of DevSecOps is to embed security into agile development operating practices—making security part of the team’s DNA, rather than a tacked on practice. Imagine the central security organization as a service provider and DevSecOps engineers as the consumers of those services—basically the “consumer” side of security.
Development teams need a tertiary understanding of security, but embedding skill sets into DevOps teams doesn’t mean you have to hire all new people. You do, however, need a dedicated, on-the-ground team member who is accountable for putting the right security services in play. This has everything to do with harmonizing and scaling security to better align with agile technology delivery models.
The most successful companies find ways to get ahead of growing security threats by studying how enterprises approach them, rather than fighting the inevitable shift. Armed with the knowledge of security’s continued importance, leaders map out direction options and steer their development ships accordingly. SW
Carson Sweet is co-founder and CTO for CloudPassage. As founding CEO, Sweet led the team that created Halo, the patented security platform that changes the way enterprises achieve infrastructure protection and compliance. He also serves as chairman of the CloudPassage board of directors.
Apr2017, Software Magazine