IT Security: DevOps In The Middle

We all still remember when in 2009, Flickr initiated a process of rethinking in development management with a presentation titled “10+ deploys per day: Dev and Ops Cooperation“. At that point in time, development and operations were strictly separated. After the development team finished the product, the operators implemented it. Errors which became apparent after implementation were reported to the staff in development. They then proceeded to fix those errors outside of the business environment.

This time-consuming methodology suppresses innovation, especially in web application development. With DevOps, developers and operators should now be in the same boat. Smaller updates with much, much shorter lifecycles should be deployed in a productive environment. Consequently, numerous tasks become mostly automated and are continuously operated in the background. Errors  are therefore recognized and addressed much earlier. The whole process from development to operation should become more agile and faster.

SAP and DevOps

According to the “Trend Study DevOps 2017“, roughly half of all companies in Germany use DevOps, and in most cases, they are still working on the first step, the implementation of DevOps. Regarding SAP systems which traditionally are much more segmented than others (OS/Datacenter, DB, base, application), this number could be much lower. That’s because with mission-critical applications, the motto “Never touch a running system“ is much more common as with other web-based applications.

What is more, many DevOps concepts, like continuous integration and automated unit tests, are difficult to integrate into traditional SAP development processes. Before even arriving in a SAP environment, DevOps is therefore already outdated.

Security should be incorporated into the development process early on. That’s because security plays a part in the operating of applications, and functional defects carry the risk of the results of an agile DevOps process to be sent back to the drawing board.

Preventing security leaks early on

It is precisely this approach that DevSecOps is promoting. Security experts should not only be tasked with safeguarding the finished product, but also with recognizing and ideally preventing security leaks – which can turn into severe problems in business operations – early on in the software development lifecycle.

Even if some DevOps concepts are not completely compatible with SAP development, it remains fact that a lot of “critical“ or “hot topic“ security notes of the last years could have been avoided by holistic integration of security in the development process. The same goes for the on average two million lines of custom code in SAP systems.

Tools that make agile DevSecOps approaches possible are numerous in the SAP world: from excellently integrated tools for statistical code analytics, Static Code Security Testing (SAST), to test automation of packaged solutions.

Such tools, mixed with the continuous cooperation and combined brain power of SAP developers, security experts and operation teams, lead almost inevitably to the prevention of obvious security leaks in custom code. Security is integrated into the code instead of retrospectively administered.

Considering the average costs of a SAP security breach which, according to a study by the Ponemon institute, amount to 4.5 million U.S. dollars, the motivation of companies to deploy DevSecOps concepts also for SAP application development should be very high.

Maybe the perfect buzzword would give companies a jump start in motivation? If this is the case, I am more than happy to provide them with the term DevSecSAPOps.