The ultimate goal of a DevOps model is to accelerate the systems development lifecycle. The continuous integration (CI) and continuous delivery (CD) pipeline is the best way to deliver dynamic updates without downtime or maintenance windows — but it comes with security risks. According to the Verizon 2022 Data Breach Investigations Report (DBIR), 43% of breaches involved web applications.
Furthermore, existing DevOps processes don’t sufficiently monitor changes and ensure appropriate segregation of duties (SoD) between developers and operational staff. Segregation of duties – designing a workflow so that more than one person is required to complete or sign off on a task – relies on workflow roadblocks to increase security.
In software development, SoD takes a particular shape. Ensuring that individual workers or organizations don’t perform multiple tasks in the software development life cycle – like design and development or inspection and approval – is crucial to reducing risk. In addition, proper SoD practices monitor and control software & data changes.
How Does SoD Reduce Risk?
Why is that so valuable? For one thing, promoting lousy code can lead to security vulnerabilities and potential data loss. According to the DHS, roughly 90% of cybercrimes result from vulnerabilities discovered in a software’s code or design. Working to fix these problems in a later stage of development can be difficult and costly, which is why an approach that bakes in security from the start is so valuable.
Understandably, SoD methodology can put it at odds with DevOps, which relies on integration. That’s why most experts agree it’s critical to find a balance between security and availability, even in the federal sector, where the emphasis tends to lean more towards security rather than speed. This emphasis is understandable; federal contractors and subcontractors often deal with highly-sensitive data, so security is critical.