Agile development can lead to more effective and efficient software delivery, but if security isn’t built into the mix at all stages, the process could leave applications and systems vulnerable, a panel of senior federal IT security officials warned Thursday.
“One of the buzzwords today is continuous integration, or the continuous evolution of the software, where you can actually make a change on the fly,” Rod Turk, chief information security officer for the Commerce Department, said at the Security through Innovation Summit, sponsored by Intel Security and produced by FedScoop.
“From a security perspective, that’s a concern. How do you make sure that that doesn’t change something else substantively down the road, down in the software?”
Rapid and continuous iterative development — what many in the IT space refer to as DevOps, a compound abbreviation for “development and operations” — can leave software vulnerable to bugs and possible intruders if security is not baked in, Turk said.
“Ponder what it is that happens once you make that continuous code change in the cloud to respond to the emerging requirements,” he said.
Despite that risk, Michael Hermus, chief technology officer of the Department of Homeland Security and a former software developer, said that shouldn’t be something to scare federal IT teams away from continuous development.
As DHS CTO, Hermus’ foremost focus is “how can we most effectively get products out, get capabilities out?” he said. “And security is now something that we have to make sure is taken into consideration.”
The key to improved security is creating a shift in culture. “Not that long ago, it was like, ‘Ah, I’ve got to deal with the security guys. Those guys are going to come in and make trouble for me,’” Hermus said.
“Now I think we all recognize that it is absolutely critical that that is factored in as early as possible. The way we look at DevOps and continuous integration is it’s an opportunity to do that — an opportunity to take current processes that are in many cases manual, that are sometimes document driven and compliance driven, and actually build security into the process, into the continuous integration development process.”
Security is so important now, Hermus said, that it deserves a spot next to the development and operations elements in DevOps. Should it be called “DevOpsSec” or “SecOpsDev?” he joked.
“There are lots of advantages that modern technology gives us to actually address security,” Hermus said. “The key is you have to actually consider security at every stage of the life cycle.