KuppingerCole Report
Advisory Note
By Matthias Reinwarth

Integrating security into an agile DevOps paradigm

Developing secure and robust applications and deploying them continuously and cost effectively? All organizations, digital or those undergoing a digital transformation, are facing these challenges though the answers are not straightforward. This document describes agile approaches to system development and delivery. It discusses why and how organisations should embed strong principles for security into their development/operations approach.

1 Management Summary

Today's organizations leverage agile paradigms for the design and development of software and for the implementation of modern infrastructures to achieve new levels of flexibility and agility. Role model organizations like Netflix, Google, Amazon or Spotify update their platforms continuously with several deployments per day. This typically requires ongoing changes to both the functionality and the infrastructure while making sure that reliability, stability and security remain unchanged.

The DevOps methodology goes far beyond traditional system operations in that it applies agile methodologies to the complete process of creating systems and infrastructures, ranging from software development to application release management and enterprise systems management on-premises and in the cloud.

While software development teams aim at a high frequency of feature updates and deployments, the definition, configuration and provisioning of modern infrastructure components allow us to look at system operations as just another programmable task. But such fundamental changes to the ways of delivering infrastructure and software in turn require a fundamental change to the implementation of an adequate level of security.

Organisations focusing on only providing solutions faster and more efficiently by applying the DevOps-approach without having strong security principles baked into their overall software development and operations processes are sooner or later, but inevitably, destined to run into information security disasters at an unprecedented scale.

This document aims at leveraging the benefits of modern, agile and DevOps-style methodologies while satisfying strong, state-of-the-art security requirements. It recognizes the fact that security in an agile environment also has to embrace agile approaches. This is achieved by laying a strong and stable foundation for the definition and integration of security requirements into agile software development processes from the beginning together with agile system operations as part of a modern provisioning process for IT services. For a cross-organisational approach we cover recommendations for adequate team and skill development, organisational recommendations and business-, software development-, operations- and overall technology-oriented recommendations.

2 Highlights

  • Managing continuous change while delivering secure code and infrastructure requires an improved and streamlined approach to development and operations.
  • Inherent security has to be understood as a business requirement.
  • A reliable and robust “Application Security Infrastructure” specification is a key enabler for security in agile environments.
  • Enterprise policies, legal and regulatory requirements and state-of-the-art security best practices need to be written as reusable code, templates and procedures.
  • DevOps workflows need to make security an integral component.
  • IT, operations and security need to come out of their respective silos, integrate and merge with each other, and reach out to the rest of the business.
  • People and processes play a significant role in the on-going success of an all-embracing strategy for software development, security and infrastructure operations:
    • Cross-functional teams with equally skilled and equally responsible experts need to develop and implement efficient and secure business solutions;
    • Skilled and experienced security staff is rare - deploy practical approaches to empower your development and operations staff;
    • Software and infrastructure changes constantly, as do security paradigms and the threat landscape - constantly train, challenge and strengthen your staff
  • Real-time data and analytics need to be the basis for improvement as well as an increasing level of security.
  • Well-defined security embedded into all enterprise processes through “Security by design” and “Privacy by design” can encourage agility and subsequently leads to “Agility by design”.

3 Introduction

A lot of enterprises currently going through the process of digital transformation are maintaining their own infrastructure on premises and are looking into extending their business into the cloud. This might be done for various reasons, such as for the easier creation of infrastructure which would allow rapid scalability. More and more organisations, especially start-ups or companies embracing the Digitalization for their business models are moving all or parts of their infrastructure into the cloud. With this on-going Digital Transformation, the focus and business models of many organizations are shifting swiftly and sometimes very rapidly. Various components of the traditional value chain are moving into the digital business world. This might be an online shop as a replacement for traditional brick and mortar shops, an online customer relationship management system providing assistance or support, or the move towards fully digital products ─ for example online services, digital music or video. While online services are easily identifiable as part of the software business, this might not be that obvious when it comes to internal systems. However, it has to be clearly understood that most digital businesses must be considered as being in the software development business as well.

The traditional approach to software development and system design is no longer sustainable as software systems become an integral part of today’s business and of everybody’s daily life. There is an obvious and growing need for more digital services which in turn requires the clever integration of software and hardware, ranging from scalable server infrastructure to being accessible by mobile devices and various new types of devices. More importantly software needs to change and adapt to the growing demands of the customer and that means more releases being made available. All of this while being mostly transparent to the end user when it comes to server side components.

Spearheaded by modern “role model” enterprises such as Netflix, Spotify or Google, a lot of organisations are embracing alternative, agile methodologies for defining, implementing and maintaining their IT infrastructures. The process of incrementally transforming an existing, traditional enterprise into a modern, agile, digital business, as well as creating such a business from the ground up go far beyond redefining job profiles in IT.

Reaching out to the business for implementing their requirements while achieving and maintaining appropriate levels of security and compliance are fundamental prerequisites for succeeding in this process. Managing all the different dimensions of change in this process is a major challenge for any organisation.

Figure 1: Dimensions of change

4 Agile concepts and enterprise IT

To understand and review the current terminology for providing both software and IT infrastructure it is required to have a look at the underlying concepts.

4.1 Agile Methodology

Agile software development and agile project management are concepts that have been around for quite some time now. Many teams in software development and in general systems development work following methodologies that aim at improved communication and continuous collaboration while delivering constantly improving solutions with requirement specifications refining in parallel.

Looking at the historical perspective, agile development dates back to the so-called "Agile Manifesto" back in 2001. The authors of this rather short manifesto were looking into "better ways of developing software".

The principles they derived for this so-called "agile development" were to value:

  • Individuals and interactions over processes and tools;
  • Working software over comprehensive documentation;
  • Customer collaboration over contract negotiation;
  • Responding to change over following a plan.

This approach was rather revolutionary at that time, compared with traditional software development methodologies like the waterfall model with its clear-cut requirements, design, architecture and testing phases and rigid project management methods like Critical Chain Project Management or Prince2 . It soon attracted a huge followership within software development teams and also in general system development teams.

Various agile practices have been derived from this original manifesto, such as Scrum, Kanban or extreme programming (XP). Many software development companies and software development teams within larger enterprises and non-commercial organisations deploy agile software development concepts for their daily work. The benefits of that approach are usually described as follows:

  • Continuous, incremental delivery of partial solutions that are immediately available for testing and analysis;
  • Constant openness to changing requirements and environments;
  • Instant feedback to delivered functionalities offering the opportunity to identify errors, issues and design flaws immediately;
  • High productivity through constant communication with customers or corporate projects owners.

4.2 The “Dev” in DevOps

Agile software development paradigms have been transferred to many non-software development areas as well, inside and outside of IT or indeed of busin ...

An important part of the overall time for deploying this type of methodology for developing software is deliberately spent on having demonstrable code ...

Login Get full Access

4.3 The “Ops” in DevOps

So what does the "Ops" in DevOps mean, why did this need to be changed? We are looking at a completely new approach at creating application systems, c ...

The concept of DevOps obviously requires the availability of modern infrastructure components, sometimes described using the term "Infrastructure as C ...

Login Get full Access

5 An enterprise approach to Software development, operations and security

It is a logical conclusion that the changing requirements and changing infrastructures in a changing business world also require a change in software ...

Login Get full Access

5.1 The challenge of securing software

Software as of today goes far beyond the apps visible on consumer desktops or mobile devices: almost any modern application is no longer a standalone ...

Login Get full Access

5.2 The challenge of securing infrastructure

The days when infrastructure could be described as “machines within an organization’s data centres running software and services and controlled by ...

Login Get full Access

5.3 The missing “Sec” in DevOps

The issues are clear: providing enterprise- or even Internet-safe infrastructure puts a new set of highly sophisticated requirements on developers and ...

This requirement does not change no matter which deployment or design scenario is chosen.

The concept of DevOps does not only change the job descrip ...

Login Get full Access

5.4 Foundation layer “Application Security Infrastructure”

Software can be considered as a critical infrastructure for many organisations, just as software defined infrastructures are already. Their quality, a ...

Login Get full Access

5.5 From yesterday’s silos to a next generation IT organization

It sounds like a truism, but one of the key killers of agility within today’s organizations is still the fact, that the majority of enterprises rely ...

Login Get full Access

6 Inherent security

The changing requirements for an agile organization obviously and inevitably do require a fundamental change to the way that software, infrastructure, ...

Login Get full Access

6.1 Security by design

Security by design1 as a principle defines inherent security as one key requirement for the specification of software and systems. This results in ...

Login Get full Access

6.2 Privacy by design

Privacy by design2 (PbD) is a concept developed to approach the challenges of complex information and communications infrastructures and their impl ...

Login Get full Access

6.3 Complementing DevOps with Security

The need for adding appropriate security measures to the DevOps approach has been acknowledged. Various approaches have been suggested, including the ...

This set of requirements then should be the basis of actionable specifications that can be embedded into the processes of developing software and crea ...

Just like any other production system, the deployed infrastructure, as developed in a DevOps scenario requires appropriate operations procedures to ma ...

Login Get full Access

6.4 Getting to “Agility by design”

Security and its integration into organizational processes is typically considered as an inhibitor when it comes to the overall duration of solution d ...

Login Get full Access

7 Recommendations

Agile methodologies and especially the DevOps approach will have a profound effect on the way IT and software solutions are provided within modern org ...

Login Get full Access

7.1 A security strategy for software/system development and operations

Forward-thinking organisations will implement an agile approach, which combines

  • agile software development methodologies
  • modern, service oriente ...
Login Get full Access

7.2 Key recommendations

To succeed in this fundamental challenge an appropriate long-term strategy has to be defined and implemented that approaches the solution to this from ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.