RSA: Researchers Tout Benefits Of Security In DevOps


The next logical step in the DevOps movement, a set of processes for collaboration between software developers and IT operations teams, is aligning it with security.

That's according to Joshua Corman, director of security intelligence for Akamai Technologies, and Gene Kim, a security researcher and founder and former CTO of Tripwire, who outlined the benefits of integrating security in DevOps -- which they have dubbed Rugged DevOps -- in a presentation Tuesday at RSA 2012 in San Francisco.

The central goal of DevOps is to get development teams and operations teams working toward a common goal. While this may seem like something that should already be happening, these groups traditionally have had diametrically opposed goals: Where a developer's job is all about making changes, IT operations tends to resist changes because they can impact stability.

If this traditional adversarial relationship between development and operations can be improved, however, organizational efficiency can soar. Amazon, which has embraced DevOps, deploys a new piece of code to its servers 1,079 times per day, an average of once every 11.6 seconds, Corman said in the presentation.

DevOps incorporates Agile software development principles, but Agile doesn't go far enough in security, said Corman. So in 2010, Corman, along with David Rice, CSO at Apple, and Jeff Williams, CEO of Aspect Security, penned the Rugged Software Manifesto, a set of principles for building software that is as secure as it is agile.

Rugged Software has four main ideas for doing security better: Defensible infrastructure, operational discipline, situational awareness, and countermeasures, and Rugged DevOps is what results from adding security to the mix.
"Rugged is the kind of security a business leader like a CIO or CSO wants," Kim said.

DevOps is attracting increasing attention from large IT vendors. Last November, VMware, Google Ventures, and Cisco were part of an $8.5 million round of venture capital funding in Puppet Labs, a Portland, Ore.-based startup that makes a DevOps tool for IT automation.