Tips for Securing DevOps in Higher Ed
With great speed come great vulnerabilities. When individual departments deploy new code independently in the DevOps discipline, security teams may find it hard to stay on top of a rapidly changing attack surface. How can these teams build security into the university’s new DevOps culture?
“The key here is to make everyone accountable for security,” Chacon said. “The objective is implementing security decisions and actions at the same scale and speed as development and operations decisions and actions.”
There is a term for that: DevSecOps, which is short for “development, security and operations.” It means security is automated and embedded into every stage of the development process.
The idea is that quality assurance and security testing should take place early, also known as “shifting left” in the “waterfall” style of software development.
“Ideally, one team manages all aspects of the service, including security and testing functions,” Chacon said. “The process and communication are focused on the end-to-end delivery of the entire service.” It’s important to note, however, that universities will still need to have teams focusing on their functional specializations.
At the end of the day, the DevOps and DevSecOps philosophies hold great promise and potential for higher education IT teams — but only if it is used wisely and integrated with university culture.