In 2019, DORA released the
DevOps research report, so far this is the eighth report of DORA. Compared to previous reports, the entire report of 2019 focuses on only one element: safety. In 2018, DORA provided a five-step model to help organizations better develop or promote DevOps practices. When integrating security with
DevOps practices, it is often found that there will be many difficulties. This report will Analyze the integration of security from multiple aspects. Next, let's take a look at what inspiration this report can bring us.
Researchers
With the promotion of ideas,
DevOps no longer only stays on the level of vocabulary and concepts, and has been generally accepted and recognized. Similar to 2018, the main leaders of this report are still puppet and splunk. In addition, a new member circleci has been added. The interesting thing is that the main author is still the following four, and even the avatar has not changed, the only The difference is that Michael Stahnke changed from puppet's director of engineering to circleci's VP. But these are not so important for readers, what everyone cares about is the inspiration that their output can bring us.
The challenge of safe integration
Interpretation: Security is a very important concept that needs to be given enough attention. This idea is deeply rooted in people ’s minds, but when many projects are involved in the integration of security practices, they will find this idea to be too idealistic. The contempt was revealed at the same time in actual practice. Compared with the enhancement of functional features, security enhancements are not always clear and perceptible for enterprises. It is more like insurance. Only when a security incident occurs will you regret it, so feature enhancements are generally ranked first, followed by Security is enhanced, and the second place actually ranked "second" will never get enough attention, and we will use some data to support this view.
In this report, conclusions are given in the report on how the enterprise integrates security when implementing DevOps transformation and the impact of security integration on the output of the enterprise.
abstract
DevOps implementation will have a positive impact on security
Generally speaking, enterprises that need to integrate security in DevOps practices are those that have passed the initial stage. DevOps practices have achieved initial results and need to be carried out within the entire enterprise. To further strengthen.
Interpretation: In the 2019 survey report, up to 22% of the teams with good DevOps practices have reached the highest level of security integration. DevOps CAMS is also effective in the integration of security. Reliability, predictability, measurable behavior, and observability not only bring about a safe environment, but more importantly, it comes after combining all of these with automation. The efficiency of the security incident response speed is improved.
A good DevOps culture can support the implementation of stricter security policies. In a team with a Sharing culture, the team uses common tools to work together to achieve a common goal, and security has naturally become a common responsibility. Under this culture, the "department wall" will be relatively easier to cross, and when problems arise, they will naturally be resolved the earliest.
Deeply integrated security in software delivery makes the team more confident
According to the survey report, 82% of the respondents with the highest security level have sufficient confidence in the company ’s safety, and among the respondents without security integration, the proportion is only 38%. This survey result fully shows In software delivery, deep integrated security makes the team more confident.
Interpretation: Integrated security is not simply a "left shift", but needs to be resolved as a whole, such as emphasizing cross-team collaboration, enhancing the role of automation in detection and prevention, and breaking the knowledge between departments The isolated island allows members to participate. The most widely used practices for security improvement are as follows:
Teamwork: Based on threat model analysis, the security team and the development team strengthen cooperation to respond to security threats
Tool integration: Security tools are integrated into the development pipeline, which can enhance the confidence of development engineers that the code they develop will not introduce known security issues.
Safety requirements: From the comprehensive consideration of functionality and non-functionality, safety-related requirements are listed in the product task list.
Manual review: Evaluation of automated testing from the perspective of a security expert, with emphasis on those code changes that have a higher risk, such as certification and encryption related parts.
Basic framework security: The security strategy related to the basic framework needs to be reviewed before deployment.
Key point: Most of these contents are known to most companies, but they are often not done for various reasons. This is a common situation.
Integrating security in the software delivery lifecycle will bring positive results
The investigation report found:
Increased on-demand deployment efficiency in production environments: Respondent companies with higher levels of security integration can easily deploy production environments on demand to a rate of 61%, while respondents with lower security levels account for this percentage It can only reach 49%.
The repair time is not much different: the assumption before the survey is that companies with higher levels of security integration can deploy faster and fix security problems faster, but the actual feedback results show that the time to repair the problem is currently the same.
Higher security improvement efficiency: Companies with a higher level of security integration can more effectively enhance security improvements when delivering feature features, and more efficient when it is found that the delivery only deals with security issues in the production environment.
Interpretation: The deeper the security integration in the software delivery life cycle, the clearer the delivery team ’s understanding of the team ’s shared security responsibilities, and the more potential risks to the business will be reduced, and the security issues will be more. Value.
The intermediate process may be chaotic and difficult
Just like the problems encountered by
DevOps' individual successful promotion, the intermediate stages and processes may be chaotic and disorderly, and very difficult. At the beginning of the project, many unknown problems and obstacles had not yet appeared, and there was no large-scale popularization. It was often smoother to see the predetermined results, but soon as the integration deepened, many problems will appear This is a very difficult intermediate stage. The same is true for security integration. A problem is often solved, and a new problem is introduced. We do n’t know how long this long intermediate stage is (however, according to experience, it is generally shorter than expected, but difficult days often feel Very long).
Interpretation: In the difficult middle stage, the integration, communication and communication required by security will sometimes slow down the delivery speed, and the problems of security audit will increase, which will bring extra work and attention, and the organization level needs to be correspondingly Change according to the situation to adapt, but these are the details that need to be dealt with in the intermediate stage. Hold on with the confidence that it will be saved, the light is ahead, and we have no other choice.
The continuous data from 2018 and 2019 can also support this view: Although the whole is constantly maturing, except for the very perfect and not yet started, the enterprises stuck in the middle for two consecutive years are as high as 79%, indicating that the evolution of DevOps is still It will be a long-term process.
