Threat Stack Blog and Cloud Security News

Continuous security monitoring for your cloud.

How to Apply DevOps Culture to Security & Why You Should Do It

by Pete Cheslock Jun 17, 2016 8:35:26 AM


Unless you’ve been living under a rock (or don’t work in the tech industry), you’ve probably heard the term DevOps thrown around. A mashup of “development” and “operations,” DevOps is a mindset and set of practices that focus on collaboration and communication between software developers and other IT professionals with the goal of automating both software delivery and infrastructure changes.

The four major tenets of DevOps are:

  • Culture
  • Automation
  • Measurement
  • Sharing

As this culture has proven successful and spread throughout many industries, people have tried to integrate other parts of the technical teams into the same DevOps workflows that are working so well for their organization. Security teams, in many ways, have been the laggards, and have yet to really include themselves into the DevOps conversation. Luckily, in recent years, much more focus has been placed on the security side.

Integrating security operations into your existing DevOps workflows means both applying DevOps principles to security and incorporating security into the development and operational processes. It’s how we operate at Threat Stack, and we believe it’s how all security teams should operate if they want to achieve maximum efficiency and effectiveness.

But why, you ask?

Key Benefits of a DevOps Culture

(as applied to development, operations, and security)

Benefits of DevOps

Benefits of Security-Enabled DevOps

Shorter time-to-market for software

Security doesn’t slow down time-to-market

Improved customer satisfaction

Improved customer security and peace of mind

Better product quality

Security baked into high-quality product

More reliable releases

Security woven into every release

Improved productivity and efficiency

Security doesn’t hamper productivity or efficiency

Increased ability to build the right product by quick iteration

Increased ability to build the right security functions into every product iteration

Why DevOps Practices Are Good for Security

DevOps achieves the benefits listed above by increasing the speed of feedback loops inside development and operations teams.

The problem with a DevOps culture that doesn’t have security built in is that security teams often wind up frustrated when vulnerabilities are not caught before reaching production. At the end of the day, it doesn’t matter how fast feedback loops or continuous delivery cycles are if you’re releasing products that are riddled with vulnerabilities. You may even find yourself backtracking to fix security issues, taking up more time than DevOps practices save.

So it naturally follows that security needs to be involved in the development process from the beginning. Otherwise it will get left behind. Development and operations teams can’t (and won’t) slow down to accommodate security teams, so it’s up to security teams to insert themselves into the conversation early on.

By integrating security with the continuous integration (CI) and continuous deployment (CD) pipelines, the security team is able to participate in rapid feedback loops in order to identify and fix problems before they become an issue in production.

How to Build a DevOps Culture for Security

So how, exactly, do you go about integrating security into the DevOps process? The good news is that you don’t need to make major changes to your development methods or cycles. The most important thing is to get security using the same tools and processes that your Dev and Ops teams are already using, from Kanban boards and scrums, to Configuration Management and Continuous Integration systems.

For example, security teams should integrate source code scanning and system-level vulnerability management inside the application and system build process. This way, they can better deal with security issues in real time and maintain the speed of the rest of the organization.

Here’s how it works at Threat Stack:




All teams — not just security practitioners — participate in and own various security processes.


Security scanning and compliance are built into the same system automation tools we are already using (Chef, Jenkins, etc.).


Threat Stack’s Cloud Security Platform is used to protect our systems where we constantly scan for vulnerabilities and alert on anomalous activity. Tracking our success over time.


Developers are given broader access to systems they are writing code for, working closely with operations team members to better understand how they will support the systems that run their code.

The Difference a Security-Enabled DevOps Culture Can Make

With security left out of your DevOps culture, you have two possible outcomes: either security slows down development cycles (unlikely to be allowed), or releases happen without security oversight. The latter, and more common, outcome leaves you open to security vulnerabilities, attacks, and reputation damage. Not a risk worth taking, in our opinion.

In today’s culture of continuous release, it’s not just good to move fast, it’s essential if you want to stay competitive. But you can’t move fast and sacrifice security. The good news is that having a security-minded organization makes it possible to release high-quality software on a continuous basis while ensuring that it is safe and ready for prime time, every time.

Topics: Cloud Security, Security, DevOps, SecOps, Security-Enabled DevOps

Pete Cheslock

Written by Pete Cheslock

As the head of Threat Stack's operations and support teams, Pete is focused on delivering the highest level of service, reliability, and customer satisfaction to Threat Stack's growing user base. An industry veteran with over 20 years' experience in DevOps, Pete understands the challenges and issues faced by security, development, and operations professionals everyday and how we can help. Prior to Threat Stack, Pete held senior positions at Dyn and Sonian where he built, managed, and developed automation and release engineering teams and projects.

Subscribe via email:

Posts by Topic

see all