DevOps—the integration of development and operations teams to eliminate conflicts and barriers—often leads to more features in business applications, developed in a faster time and with greater efficiencies. But the very features that make DevOps attractive to organizations can cause concern for assurance, security and governance practitioners. A new guide from global IT association ISACA outlines 10 key controls companies need to consider as they embrace DevOps to achieve reduced costs and increased agility.
According to 'DevOps Practitioner Considerations' those controls are:
1. Automated software scanning
2. Automated vulnerability scanning
3. Web application firewall
4. Developer application security training
5. Software dependency management
6. Access and activity logging
7. Documented policies and procedures
8. Application performance management
9. Asset management and inventorying
10. Continuous auditing and/or monitoring
“DevOps can introduce new risk but, done right, it also mitigates other risk. Looking at risk holistically means understanding both sides of that equation and making the right choice for a particular company based on its climate, risk tolerance, culture, project scope and other factors,” says Bhavesh Bhagat, CISM, CGEIT, CEO of EnCrisp.
Because DevOps adoption changes the environment and often impacts a company’s carefully crafted control environment and accepted level of risk, governance, security and assurance professionals need to play a key role. The governance decisions relating to risk, including decisions made in the past, may require rethinking, and performance metrics on which business decisions are based may need to be adjusted.
Many security controls that are intertwined with the development process may be compromised. Assurance practitioners will have to address a particularly significant area of impact: separation of duties.