Though the ultimate goal of a DevOps model is to accelerate the SDLC, businesses reap additional benefits. The DevOps approach allows for greater agility, helps to maintain stability and reliability, and improves recovery times. Despite these benefits, they’re not without inherent security risks.
The Continuous Integration (CI) and Continuous Delivery (CD) pipeline is the best way to deliver dynamic updates without downtime or maintenance windows — but it comes with security risks. According to the Verizon 2022 Data Breach Investigations Report (DBIR), 43% of breaches involved web applications.
Furthermore, existing DevOps processes don’t sufficiently monitor changes and ensure appropriate separation of duties (SoD) between developers and operational staff. Separation of duties — designing a workflow so that more than one person is required to complete or sign off on a task — relies on workflow roadblocks to increase security.
In software development, SoD is a fundamental security practice. Ensuring that individual workers or organizations don’t perform multiple tasks in the software development life cycle — like design and development or inspection and approval — is crucial to reducing risk. In addition, proper SoD practices monitor and control software and data changes.
How SoD Reduces Risk
Why is that so valuable? For one thing, promoting lousy code can lead to security vulnerabilities and potential data loss. According to the DHS, roughly 90% of cyber crimes result from vulnerabilities discovered in software code or design. Working to fix these problems in a later stage of development can be difficult and costly, so an approach that bakes in security from the start is a top priority.
Understandably, SoD methodology can be at odds with DevOps, which relies on integration. That’s why most experts agree it’s critical to find a balance between security and availability — particularly in the federal sector, where contractors and subcontractors emphasize security over speed for highly-sensitive data.