June 25, 2017

How are containers changing DevOps? By enabling DevSecOps. That, at least, is the message from Aqua Security, which is pushing the thesis that containers are the key to achieving automated, predictable security operations.

DevSecOps is an extension of the DevOps concept that emphasizes the integration of security teams into continuous delivery workflows.

In theory, DevSecOps is a great idea. But in practice, integrating security into continuous delivery can be challenging. Developers and IT ops folks are rarely trained in security. And security teams don’t necessarily know how to code or administer servers.

For DevSecOps to work, everyone involved in continuous delivery needs to speak the same language and work with the same environment. That traditionally has been difficult.

Containers and DevSecOps

With containers, it doesn’t have to be. As Aqua notes in a recent blog post on containers and DevOps:

Container technology is probably THE great enabler of DevSecOps. Not only does it make rapid, repeatable application development and deployment cycles, but it also makes it possible for them to be more secure. Containers are immutable and therefore are never patched in runtime, but simply replaced with new versions. This shifts much of the security controls to the “left”, i.e., upstream into the development cycle.

In other words, containers provide environment parity, which increases consistency and predictability in the workloads of developers, ops and security. By extension, consistency and predictability facilitate easier collaboration between everyone involved in continuous delivery.

It also helps that containers are an ideal building block for immutable infrastructure. In a containerized environment, you don’t try to fix security problems by modifying something that is already running. Instead, when you want to update something, you deploy new containers. Because the updated container images can be thoroughly vetted before they are deployed, there is less chance of introducing a security bug to production.

Plus, immutable infrastructure is more difficult for attackers to exploit. If they try to install malicious code inside a containerized environment, it will be destroyed whenever the container images are updated — unless the attackers are able to tamper with container images themselves, an intrusion that registry scanners are designed to prevent.

In all of these ways, as Aqua notes, containers help to make security operations part and parcel of continuous delivery, rather than something that is tacked on after software has been deployed to production.

Conclusion: How Containers are Revamping DevOps

Singing the security praises of containers is what you’d expect from Aqua. of course. Aqua is a company that specializes in container security.

But there’s something to the idea that containers are the missing link that will help organizations actualize DevSecOps. That’s a big deal, because DevSecOps is in many ways the next big step forward for organizations seeking to do more with DevOps.

Christopher Tozzi

Christopher Tozzi has covered technology and business news for nearly a decade, specializing in open source, containers, big data, networking and security. He is currently Senior Editor and DevOps Analyst with Fixate.io and Sweetcode.io.