Blog | Blue Matador

How Security & QA Fit into the DevOps Cycle

Written by Blue Matador | Jul 25, 2017 4:24:00 AM

Security and QA kind of get a bad rap in DevOps circles. We get it: QA has traditionally been at the end of the DevOps cycle, if included at all. It’s a department staffed by people looking for problems. And building in IT security requirements into the DevOps workflow can slow down the agile processes quite a bit. There’s bound to be some animosity — or at least confusion — about how all these departments work together.

But there’s a reason QA and security are being mentioned more frequently in the context of the DevOps feedback loop. If you’re familiar with DevOps, you know that engineering and operations processes take place simultaneously as systems are monitored in a constant feedback loop to improve outcomes in every aspect. It’s all about continuous integration, continuous delivery, and automating as much of that as possible.

While security and QA have traditionally been siloed outside of this loop, or at least relegated to the back of the train, organizations are increasingly reporting about the benefits integrating each discipline into their big IT picture and seeing positive results.

Let’s take a look at each discipline.

Not Your Father’s DevOps Security

IT security of yesteryear was a relatively obscure departmental function whose role was to react to organizational security threats. A new worm infiltrated the system? Let’s get it fixed. A DDOS brought down the company’s public website? Let’s defeat the attack. New employee? Let’s provision their computer and get it locked down with a proper password and firewall profile.

However, implementing IT security today is a different story. From the outset it can help put secure processes into the DevOps cycle sooner. For example, starting with security in mind, you can ensure new API endpoints require proper authentication as developers add them, instead of waiting until a data breach and then doing a large audit of everything to fix security holes.

It’s about automating as much of your cloud security monitoring processes as possible and cutting down on wasted time later in the feedback loop. Though they know a lot more about security than the average person, DevOps engineers will readily admit they’re not security experts. Security experts are security experts, and they ought to be a part of your DevOps team.

QA: It’s Not Just About Detecting Bugs

Typically, QA has been relegated to a separate process (or department) in a company’s development process. But is this wise?

Think of your infrastructure itself as code. Just like you want to test your code for bugs and compiling errors, your server setup and software stack needs to be monitored and tested for similarly devastating problems like misconfigured integrations, hardware failures, and more.

Here’s the rub. QA typically deals in application code written by developers, but they are also invaluable in testing infrastructure and configuration changes. DevOps quality assurance is about preventing problems in the first place. This is done by treating all changes going on as testable, not just changes caused by developers. You can provide QA an environment that closely mimics production, and get them involved in testing changes to those environment before those changes are done to production.

What Needs to Be Done

The idea is that “everything is testable” applies to the entire DevOps cycle. Development, operations, and security experts should be integral to the methodology. And QA testers need to adapt to this new mindset. In our experience, QA folks will be more than ready to get jumpstarted on being part of the process because they are eager to learn and help.

Additionally, security personnel need to be involved in the development process, helping to plan system architecture along the way. They will generally be eager to get involved as well.

Blue Matador’s monitoring products can help keep everyone in the loop. Lumberjack, our centralized log management software, can put log file insights into the right hands at the time right with configurable, predictive alerts. For instance, QA can see app errors, IT security can monitor suspicious logins, and of course, DevOps personnel can receive notifications about issues that could lead to downtime.