By- September 25, 2014
The other week we announced our foray into combining DevOps and security into what we call DevSec. As we move forward with more posts on DevSec, I realize it’s important to lay out a good foundation for any company looking to become more agile with their security process. Today, we’ll take some time to understand what exactly DevOps is.
DevOps is a blend of development and operations, brought about a few years back when developers started pushing toward an agile development model. Agile development is just that: developing new technology quickly. Previously in web development, code and new versions of product and website would typically have a long hold between final development and public launch. During those weeks to months, testing and operation teams would make sure that no other piece of the product broke with the newly introduced features. Security teams would also use this time to make sure no vulnerabilities would become public as well. DevOps and cloud computing have changed this model to allow for quick deployment, where new product changes get pushed out weekly, daily, or sometimes even hourly.
One piece of the DevOps culture and mindset is the empowerment of developers to build and test against production-like systems, with automatic or semi-automatic deployment of the software. This is known as the concept of “infrastructure as code”. Things that only an enormous operations team used to be able to do are now being done with scripts in tools like Chef or Puppet, by a smaller operations team. Operations teams are getting more “dev” experience, and development teams are getting more “ops” experience. Over time, if all goes well, operations becomes more automated, speeding up deployment and getting software out to customers faster. This is the essence of DevOps; you can think of DevOps as a process for enabling continuous delivery of software.
DevOps introduces new practices to make sure that testing is done as code is written. These include unit tests (testing of a single point or feature to make sure it always works), integration tests (testing of complex inter-operations of your systems), and regression tests (testing done to ensure a bug previously found doesn’t reoccur), oftentimes written by the developers themselves. Continuous integrations systems, such as Jenkins or CircleCI, can ensure that tests previously run after a code-freeze are now run at every new commit of code. This automation of the testing process allows developers to quickly change and develop a product, increasing business agility, while not compromising on product quality.
Any company looking to become more agile (even non-tech companies) can benefit from creating a DevOps process. The process introduces automated tools to speed up all processes of development and IT, keeping the business moving forward. Our next post will outline some best practices on setting up a DevOps process, but as we explore the bridge between DevOps and security, we welcome all feedback and questions. Email or chat with us anytime.
Tinfoil Security provides the simplest security solution. With Tinfoil Security, your site is routinely monitored and checked for vulnerabilities using a scanner that's constantly updated. Using the same techniques as malicious hackers, we systematically test all the access points, instantly notifying you when there's a threat and giving you step-by-step instructions, tailored to your software stack, to eliminate it. You have a lot to manage; let us manage your website's security.