Discover Performance

HP Software's community for IT leaders // July 2012
Subscribe

Speed and security? Just add automation

Securing software doesn't have to cost you the gains driven by agile and DevOps methods. Collaborating on truly secure automated processes lets you make security the default, not an add-on.

Every IT leader—CIOs, CISOs, VPs of you-name-it—is being challenged to deliver real value to the business, at top speed. Replacing “silos” with more fluid processes is a big topic, as agile software development principles are increasingly common in the enterprise. At the leading edge of this movement is DevOps, a philosophy that will eventually affect how your enterprise delivers secure IT services and applications.

The short definition for a movement that has yet to truly crystallize is that DevOps extends the concept of agile development to agile delivery. As the name implies, it’s about tearing down the wall between developers and operations teams. But if Security remains marginalized in its own silo, that agility won’t materialize—and neither will reliably secure applications.

Whether your IT organization formally embraces DevOps or just seeks incrementally increased collaboration and agility, you’ll feel the pressure to remove bottlenecks and deliver the goods better and faster. In that regard, security can be one of the greatest offenders. Not only do late-stage security gatekeepers slow down the process, they do so to create “bolted on” security solutions in a world where, increasingly, only truly “baked in” security will do.

Streamlining security

The DevOps philosophy in no way diminishes the value of security. It merely shifts when, and how deeply, security enters the software development process. The result is a world in which security’s presence seems transparent, because secure development and deployment have been made the default, not the thing added last. The way this happens is through automation.

With automation, the security professional shifts from gatekeeper to consultant, and migrates from a “control” mindset to a governance mindset. Instead of toiling on the software assembly line, your security team provides its formidable expertise at key stages of software development. This level of integration builds in expertise that is repeatable and scalable.

Making automation happen

Automation is a key to how Apps and Ops teams make DevOps work. But to get security built in properly, software security professionals need to be intimately involved. Here are four primary goals for security professions in DevOps-style automation:

  1. Collaborate. Embrace change, and the pursuit of delivering better value to the business, faster. Seek out stakeholders in both Operations and Applications who can participate in vetting new process ideas.
  2. Implement. The security team must drive the enablement by infusing tools and processes with checks and triggers to alert to insecure code conditions. This effort will primarily involve creating test environments and augmenting software testing tools with authoritative guidelines to address identified risks based on severity.
  3. Prepare for change. To continue to meet business demand, create a change management process to handle ongoing improvement of automated processes as risks change and evolve.
  4. Train. Educate the development team on how to use the automated processes and make sure they understand security principles involved and where personal discretion is and is not permitted.

Once a new automated process is up and running, the influence and expertise of the security team can't be avoided; security happens by default. And the organization will have the proactive participation of security leaders to thank. 

Providing true value

As security automation takes hold in the organization, where code checks happen by default and developers are more rapidly outputting software that meets your risk management requirements, the role of the security team can move upstream.

Security experts can focus on innovation in the areas of governance and enforcement. Security expertise can be spent not policing lines of code, but on the bigger picture: determining the risk tolerance of the organization, setting policy and refining the automation work streams.

To learn more about how the DevOps movement is changing the pace of IT value creation, go to the HP DevOps page. Learn more about protecting your data from HP Enterprise Security.


x

IT leader assessment

This tool evaluates the correlation between IT attributes and business success and, based on how your answers compare with average scores, will advise you where to invest in IT.

It is based on data HP collected from 650 global companies about a range of IT characteristics (server capacities, approach to information management, security, BYOD, etc.) and how they correlate to revenue gain. This assessment will compare your answers to the average scores in that study.

There are 12 questions that will require an estimated 10 minutes of your time. You'll receive a summary of your rating upon completion.



Let's get started
x

Please select an answer.
x

Analysis:

Your answer:
Your score:
Average score:
Revenue leaders' score:


x

Please select an answer.


x

Results

Your score:
Average score:
Revenue leaders' score:


Get detailed results:

Subscribe

Popular tags

Events

Big Data changes everything

HP CEO Meg Whitman discusses how connected intelligence will drive IT operations, application development, IT security, marketing, compliance—and the bottom line. Register now.


HP Protect 2014

Connect with nearly 1,500 security pros to learn how to better disrupt or mitigate threats. Learn to think like a bad guy. (Washington, D.C., Sept. 8 – 11)


Closing the book on Heartbleed

The Heartbleed vulnerability set users and enterprises scrambling. How can we avoid or mitigate the next Heartbleed?


Discover Performance Weekly

HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episode.


Enterprise 20/20

Security 20/20

Preparing today for tomorrow’s threats.

Introduction to Enterprise 20/20

What will a successful enterprise look like in the future?

CIO 20/20

Challenges and opportunities for the CIO of the future.

Dev Center 20/20

How will we organize development centers for the apps that will power our enterprises?

Marketing 20/20

Welcome to a new reality of split-second decisions and marketing by the numbers.

IT Operations 20/20

How can you achieve the data center of the future?

Employee 20/20

What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.

Mobility 20/20

Looking toward the era when everyone — and everything — is connected.

Data Center 20/20

The innovation and revenue engine of the enterprise.

Read more

HP Software related

Most read articles

Discover Performance

Archive

Tweets @ HPSecurity