DevOps security is a bit like developing without a safety net. This is meant to be a reference to a trapeze act at the circus for those of you who have never had the joy of witnessing the heart stopping excitement of the circus trapeze. The idea is that when you watch a trapeze act with a net, you know that if something goes wrong, they just land in a net. The really exciting and scary trapeze acts have no net. If these folks fall, that’s pretty much it for them. Someone pointed out to me that the current DevOps security is a bit like taking away the net.
This got me thinking about how we used to develop and do security, how we do it now, and is the net really gone?
First, some history
If you’re a geezer, you remember the days when the developers built something, and operations had to deploy it. It never worked, both groups called the other names. Eventually they put aside their mutual hatred, worked together, and got something that mostly worked. This did provide some level of checks and balances though. Operations could ensure development wasn’t doing anything too silly, as development could check on operations. Things mostly made sense. Somehow projects still got deployed by banging rocks together.
That said though, things did move slowly, and it’s not a secret that some projects failed due to structural issues after having huge sums of money spent on them. I’ll never say things were better back then, anyone who claims the world was a better place isn’t someone you should listen to.
In the new and exciting world of DevOps who is responsible for checking on who? Development can’t really blame operations anymore, they’re all on the same team, sometimes it’s even the same person. This would be like that time the Austrian army attacked itself. This is where the idea of the safety net being removed comes in. Who is responsible for ensuring things are mostly secure? The new answer isn’t “nobody”, it’s “everybody”.
The real power of DevOps is that the software and systems are grown, not built. This is true of security, it’s now grown instead of built. Now you have ample opportunity to make good security decisions along the way. Even if you make some sort of mistake, and you will, it’s trivial to fix the problem quickly without much fanfare. The way the world works today is not the way the world worked even ten years ago. If you can’t move fast, you’re going to fail, especially when security is involved. Fast security is the best security.
And this is really how security has to work. Security has to move fast. The days of having months to fix security problems are long gone. You have to stay on top of what’s going on and get things dealt with quickly. DevOps didn’t remove the security safety net, it removed the security parachute. Now you can go as fast as you want, but that also means if nobody is driving, you’re going to crash into a wall.