When thinking about the weakest link in security, humans might be leading the board. Passwords and software are following closely. Combine these factors and insecurity is born. With the fairly new DevOps movement there is change to be expected. Is this finally solving many of our problems?
Last years more vacancies are posted asking for fulfilling a DevOps position. This combination of Operations and Development is pretty unique. Especially considering that these two areas were normally split and considered opposites. Development had the primary role to create software, test it and deploy it. All before reaching the challenging deadlines. Operations on the other hand were struggling with installing systems, install unwanted software and keep everything patched and running. Combine these two and you end up with developers having legitimate administrative permissions.
One might argue that some things or functions can never be mixed. The thought itself is very interesting though. Developers might be more responsible when installing their software and run it under the least amount of privileges needed. The operational person on the other hand, might be more willing to install those extra libraries. Not only install, but actually maintain them, or even promote them as supported software.
Another possibility of the DevOps vision, would be a more generic developer. This individual can perform the installation of the system, develop software (or parts) and do initial testing. Afterwards he then will install the software and maintain it. The developer will actually be end-to-end responsible.
Regarding security of systems, the DevOps might be a blessing or actually part of the problem. How to deal with separation of duties? After all, combining roles is a clear contradiction to that principle. On the other hand, a big benefit is the clear ownership of newly created solutions. When gluing responsibilities together, security can now be embedded in the whole package. The focus is not just limited anymore to secure development, but also applying best practices in running the software. Best of all might be the single contact to address any found issues: the DevOps.
Maybe, just maybe, there might be a place for a dedicated Security DevOps. This person would deal with all security aspects related to the development and support of newly created software. That might be adding some real value to our business! But let’s first see if a normal DevOps turns out to be a good addition. To be continued..