Does DevOps hurt or help security?

There is a firmly held concern in security circles that the automation associated with DevOps moves too swiftly, that security teams and their tests can't keep up, that too many of the metrics measured focus on production, availability, and compliance checkboxes, and as a result, security falls to the wayside.


Early proponents of DevOps always have argued that when done right, DevOps can actually improve security. When it comes to the positive impact of DevOps on security efforts,

Justin Arbuckle, vice president, EMEA, and chief enterprise architect at Chef, doesn't mince words. Arbuckle also was formerly chief architect at GE Capital, where he was a big proponent of Agile and continuous delivery approaches to software development.

Arbuckle says that many, if not most, organisations today simply are not developing resilient software or infrastructure or even maintaining regulatory compliance -- and that they never will be able to actually automate as much of the software security and regulatory compliance checks as they can without moving toward DevOps.

"I think a lot of what we think of as being compliant today is a complete myth," says Arbuckle, who contends that there are so many security and regulatory compliance checks that large enterprises typically have to check that they just can't keep up. "They have to trade off between 'It's good enough, we're ready to go' and 'We're not going to go anywhere until we've literally crossed every T and dotted every I,'" Arbuckle said in a recent interview.

Arbuckle is even more uncertain of current enterprise claims when it comes to managing their security risk posture. "I think the number of organisations that can count fully detailed, fully implementable -- and that's the key word, 'implementable' -- security policy by their infrastructure people on one hand," he says.

"Recommended For You"

Rackspace offers UK DevOps engineer team to support business cloud deployments Chef sidles up to security for bringing automated compliance to devops