1 Management Summary

Today's organizations leverage agile paradigms for the design and development of software and for the implementation of modern infrastructures to achieve new levels of flexibility and agility. Role model organizations like Netflix, Google, Amazon or Spotify update their platforms continuously with several deployments per day. This typically requires ongoing changes to both the functionality and the infrastructure while making sure that reliability, stability and security remain unchanged.

The DevOps methodology goes far beyond traditional system operations in that it applies agile methodologies to the complete process of creating systems and infrastructures, ranging from software development to application release management and enterprise systems management on-premises and in the cloud.

While software development teams aim at a high frequency of feature updates and deployments, the definition, configuration and provisioning of modern infrastructure components allow us to look at system operations as just another programmable task. But such fundamental changes to the ways of delivering infrastructure and software in turn require a fundamental change to the implementation of an adequate level of security.

Organisations focusing on only providing solutions faster and more efficiently by applying the DevOps-approach without having strong security principles baked into their overall software development and operations processes are sooner or later, but inevitably, destined to run into information security disasters at an unprecedented scale.

This document aims at leveraging the benefits of modern, agile and DevOps-style methodologies while satisfying strong, state-of-the-art security requirements. It recognizes the fact that security in an agile environment also has to embrace agile approaches. This is achieved by laying a strong and stable foundation for the definition and integration of security requirements into agile software development processes from the beginning together with agile system operations as part of a modern provisioning process for IT services. For a cross-organisational approach we cover recommendations for adequate team and skill development, organisational recommendations and business-, software development-, operations- and overall technology-oriented recommendations.

2 Highlights

• Managing continuous change while delivering secure code and infrastructure requires an improved and streamlined approach to development and operations.
• Inherent security has to be understood as a business requirement.
• A reliable and robust “Application Security Infrastructure” specification is a key enabler for security in agile environments.
• Enterprise policies, legal and regulatory requirements and state-of-the-art security best practices need to be written as reusable code, templates and procedures.
• DevOps workflows need to make security an integral component.
• IT, operations and security need to come out of their respective silos, integrate and merge with each other, and reach out to the rest of the business.
• People and processes play a significant role in the on-going success of an all-embracing strategy for software development, security and infrastructure operations:
  • Cross-functional teams with equally skilled and equally responsible experts need to develop and implement efficient and secure business solutions;
  • Skilled and experienced security staff is rare - deploy practical approaches to empower your development and operations staff;
  • Software and infrastructure changes constantly, as do security paradigms and the threat landscape - constantly train, challenge and strengthen your staff
• Real-time data and analytics need to be the basis for improvement as well as an increasing level of security.
• Well-defined security embedded into all enterprise processes through “Security by design” and “Privacy by design” can encourage agility and subsequently leads to “Agility by design”.

3 Introduction

A lot of enterprises currently going through the process of digital transformation are maintaining their own infrastructure on premises and are looking into extending their business into the cloud. This might be done for various reasons, such as for the easier creation of infrastructure which would allow rapid scalability. More and more organisations, especially start-ups or companies embracing the Digitalization for their business models are moving all or parts of their infrastructure into the cloud. With this on-going Digital Transformation, the focus and business models of many organizations are shifting swiftly and sometimes very rapidly. Various components of the traditional value chain are moving into the digital business world. This might be an online shop as a replacement for traditional brick and mortar shops, an online customer relationship management system providing assistance or support, or the move towards fully digital products ─ for example online services, digital music or video. While online services are easily identifiable as part of the software business, this might not be that obvious when it comes to internal systems. However, it has to be clearly understood that most digital businesses must be considered as being in the software development business as well.

The traditional approach to software development and system design is no longer sustainable as software systems become an integral part of today’s business and of everybody’s daily life. There is an obvious and growing need for more digital services which in turn requires the clever integration of software and hardware, ranging from scalable server infrastructure to being accessible by mobile devices and various new types of devices. More importantly software needs to change and adapt to the growing demands of the customer and that means more releases being made available. All of this while being mostly transparent to the end user when it comes to server side components.

Spearheaded by modern “role model” enterprises such as Netflix, Spotify or Google, a lot of organisations are embracing alternative, agile methodologies for defining, implementing and maintaining their IT infrastructures. The process of incrementally transforming an existing, traditional enterprise into a modern, agile, digital business, as well as creating such a business from the ground up go far beyond redefining job profiles in IT.

Reaching out to the business for implementing their requirements while achieving and maintaining appropriate levels of security and compliance are fundamental prerequisites for succeeding in this process. Managing all the different dimensions of change in this process is a major challenge for any organisation.

4 Agile concepts and enterprise IT

To understand and review the current terminology for providing both software and IT infrastructure it is required to have a look at the underlying concepts.

4.1 Agile Methodology

Agile software development and agile project management are concepts that have been around for quite some time now. Many teams in software development and in general systems development work following methodologies that aim at improved communication and continuous collaboration while delivering constantly improving solutions with requirement specifications refining in parallel.

Looking at the historical perspective, agile development dates back to the so-called "Agile Manifesto" back in 2001. The authors of this rather short manifesto were looking into "better ways of developing software".

The principles they derived for this so-called "agile development" were to value:

• Individuals and interactions over processes and tools;
• Working software over comprehensive documentation;
• Customer collaboration over contract negotiation;
• Responding to change over following a plan.

This approach was rather revolutionary at that time, compared with traditional software development methodologies like the waterfall model with its clear-cut requirements, design, architecture and testing phases and rigid project management methods like Critical Chain Project Management or Prince2 . It soon attracted a huge followership within software development teams and also in general system development teams.

Various agile practices have been derived from this original manifesto, such as Scrum, Kanban or extreme programming (XP). Many software development companies and software development teams within larger enterprises and non-commercial organisations deploy agile software development concepts for their daily work. The benefits of that approach are usually described as follows:

• Continuous, incremental delivery of partial solutions that are immediately available for testing and analysis;
• Constant openness to changing requirements and environments;
• Instant feedback to delivered functionalities offering the opportunity to identify errors, issues and design flaws immediately;
• High productivity through constant communication with customers or corporate projects owners.

4.2 The “Dev” in DevOps

Agile software development paradigms have been transferred to many non-software development areas as well, inside and outside of IT or indeed of busin ...

An important part of the overall time for deploying this type of methodology for developing software is deliberately spent on having demonstrable code ...

4.3 The “Ops” in DevOps

So what does the "Ops" in DevOps mean, why did this need to be changed? We are looking at a completely new approach at creating application systems, c ...

The concept of DevOps obviously requires the availability of modern infrastructure components, sometimes described using the term "Infrastructure as C ...

5 An enterprise approach to Software development, operations and security

It is a logical conclusion that the changing requirements and changing infrastructures in a changing business world also require a change in software ...

5.1 The challenge of securing software

Software as of today goes far beyond the apps visible on consumer desktops or mobile devices: almost any modern application is no longer a standalone ...

5.2 The challenge of securing infrastructure

The days when infrastructure could be described as “machines within an organization’s data centres running software and services and controlled by ...

5.3 The missing “Sec” in DevOps

The issues are clear: providing enterprise- or even Internet-safe infrastructure puts a new set of highly sophisticated requirements on developers and ...

This requirement does not change no matter which deployment or design scenario is chosen.

The concept of DevOps does not only change the job descrip ...

5.4 Foundation layer “Application Security Infrastructure”

Software can be considered as a critical infrastructure for many organisations, just as software defined infrastructures are already. Their quality, a ...

5.5 From yesterday’s silos to a next generation IT organization

It sounds like a truism, but one of the key killers of agility within today’s organizations is still the fact, that the majority of enterprises rely ...

6 Inherent security

The changing requirements for an agile organization obviously and inevitably do require a fundamental change to the way that software, infrastructure, ...

6.1 Security by design

Security by design¹ as a principle defines inherent security as one key requirement for the specification of software and systems. This results in ...

6.2 Privacy by design

Privacy by design² (PbD) is a concept developed to approach the challenges of complex information and communications infrastructures and their impl ...

6.3 Complementing DevOps with Security

The need for adding appropriate security measures to the DevOps approach has been acknowledged. Various approaches have been suggested, including the ...

This set of requirements then should be the basis of actionable specifications that can be embedded into the processes of developing software and crea ...

Just like any other production system, the deployed infrastructure, as developed in a DevOps scenario requires appropriate operations procedures to ma ...

6.4 Getting to “Agility by design”

Security and its integration into organizational processes is typically considered as an inhibitor when it comes to the overall duration of solution d ...

7 Recommendations

Agile methodologies and especially the DevOps approach will have a profound effect on the way IT and software solutions are provided within modern org ...

7.1 A security strategy for software/system development and operations

Forward-thinking organisations will implement an agile approach, which combines

• agile software development methodologies
• modern, service oriente ...

7.2 Key recommendations

To succeed in this fundamental challenge an appropriate long-term strategy has to be defined and implemented that approaches the solution to this from ...

8 Related Research

Advisory Note: Working to the Business not the Auditors - 70865
Advisory Note: Your Business is Moving to the Cloud - 71156
Advisory Note: The New ABC for IT - 70,998
Advisory Note: Maturity Levels - 70,738
Advisory Note: Eight Fundamentals for Digital Risk Mitigation in the Age of Transformation – 71302
Advisory Note: Software Defined Infrastructures - 71111
Leadership Compass: API Security Management – 70958
Leadership Compass: Infrastructure as a Service - 70959