The DevOps lifecycle is rife with tension.
Development, operations and security have missions and the key is aligning all those causes.
Developers cringe when security enters the room because of the limits that come with security controls. But security isn't on duty to take the life out of the party; its goal is to make sure no one spikes the punch.
So what's guaranteed as companies attempt to unite development and operations in a security-conscious era? Not success.
"Doing DevOps well actually enables you to do security well," said Alanna Brown, senior director of community and developer relations at Puppet, an IT automation software company.
DevOps implementation boils down to people, process and technology. Those companies executing well in DevOps are weaving in security along the way.
Puppet research found 22% of firms leading security integration are also advanced in DevOps adoption, according to the firm's State of DevOps Report released last week, which surveyed almost 3,000 technical professionals.
"I think everyone's feeling the security pressure, but the people who are doing DevOps well are the ones who can actually respond to it," said Nigel Kersten, field CTO at Puppet, in an interview with CIO Dive.
"As we start to collaborate more frequently the friction goes up considerably."
Alanna Brown
Senior director of community and developer relations at Puppet
Companies with a comprehensive understanding of their environments, efficiently deploying software and interacting with technology on the back end, are best suited to respond to an incident.
Contrary to belief, security doesn't slow down the development process. Six in 10 firms with high levels of security introduction can deploy software to production on demand, according to Puppet.
DevSecOps emerges. Will a name change make a difference?
Practitioners are rethinking the DevOps name as they toy with injecting more security into the development process. Calling the movement DevSecOps is gaining popularity but is not widespread.
But there's some wariness about putting security into the DevOps name.
More and more, DevSecOps is taking "job that security is doing in production after deployment and [giving] them an automated tool to do that earlier in the lifecycle and just shift left," said Kersten.
While security is "shifting left," getting involved earlier in pre-production, the goal is to not take the same development functions and repeat them earlier in automated ways, he said.
Instead, bake security in at every stage of the development lifecycle. Integration builds on cross-team collaboration and weaving more stakeholders into the software delivery pipeline.
"It doesn't really matter what the org structure is, so long as you have folks who are dedicated to security and who are working closely in an integrated way," Kersten said. It's that integration that is really the key in terms of practice and working along the software delivery pipeline."
Puppet research found companies that thoroughly integrate security into the software development lifecycle are "twice as confident in their security posture."
Companies with security integrated into the development lifecycle are also more than twice as likely to "stop a push to production" in the event of security concern.
Security integration does not mean companies have it all figured out. DevOps adoption is complex, particular as team dynamics change in the middle stages of the methodology adoption.
In the lower levels of security integrations, because teams are not collaborating that closely, there is not much friction, said Brown. "As we start to collaborate more frequently the friction goes up considerably."
The middle stages of adoption can "get really messy," she said.