DevSecOps: How Change Automation and Security Go Hand-in-Hand
Unfortunately, cyber-attacks and losses related to insufficient IT security are real, and the applications supporting modern enterprises represent some of the biggest potential exposures to data breaches and downtime. Still, these applications are central to the success of the business. So, how does one ensure their availability, reliability, and security?
DevOps has proven valuable in optimizing the software development process. Can the concepts of DevOps be used for security, too?
What is DevOps?
DevOps enables organizations to continuously deliver value and innovation. Built on the foundations of Agile methodology and coupled with automation ensuring consistent process and rigor, the concepts of iterative development and automated integration and delivery are industry proven. When used, DevOps consistently improves the entire trinity of lowered costs, increased quality, and faster delivery.
Among SAP teams, however, DevOps is less common. The unique architectural and technical properties of SAP make the use of existing DevOps tooling impractical or technically impossible. ActiveControl is a solution built specifically for SAP and addresses these direct challenges. With it, the principles of DevOps absolutely work in SAP, enabling teams to deliver value to customers as quickly and frequently as the business requires.
What is DevSecOps?
The topic of IT security often defaults to the concerns of bad actors, data backups, or infrastructure reliability. Those are certainly a part of security, but DevSecOps is an evolution of DevOps. With DevSecOps, teams apply a DevOps methodology and mindset to security change. Bringing the same rigor, consistency, and error reduction to security change as DevOps brings to functional change results in speed, lower costs, and improved quality.
The role of change control in DevSecOps
DevSecOps extends beyond preventing intrusions and patching holes; it supports the business with concern for the impact of change, including business continuity, availability for end users, and a broader context for operational excellence. In one sense, DevSecOps considers the security of the business first, thinking beyond underlying IT systems.
One might consider DevSecOps for key processes including onboarding and offboarding procedures, tightening change and potential holes as key technical staff join and exit an organization. Applying DevOps here means a highly rigorous and efficient process delivering necessary changes without inconsistency and additional security exposure due to oversight in execution. DevSecOps also supports documentation and auditing in ISO 9001 or FDA-regulated environments with automatic documentation of change processes, enabling adherence with regulatory reporting.
How automation enables DevSecOps in SAP
What does success with DevSecOps in SAP look like?
DevSecOps will change processes, and people are key to the successful transformation. Traditional SAP development follows a very linear — ‘Waterfall’ — approach, with large, cumbersome release mammoths, lumping massive disruption along each stage of the release process. In contrast, DevOps focuses on the outcomes and delivering value to the business faster, usually in smaller, incremental pieces. “It’s not possible in SAP”, and “we’ve been successful for 30 years, why this now?” will be common pushback.
The technology will change, too. Automation tools designed specifically for the unique requirements of SAP are essential. Classic examples include separation of duties using role-based security, and audit of each action and approval. Automated technical review at each point along the process helps prevent skipped steps and requirements. A robust workflow and rules engine for work routing, plus scheduling for automated delivery are typical. Automation solutions, including ActiveControl, are tailor made for these requirements.
Code quality remains a valuable investment as an aspect of security and benefits from the automation of quality processes, including the integration of existing tooling such as ABAP test cockpit or Code Inspector. While these tools bring great analysis, equally important is their consistent application and the enforcement of utilization as a gateway during the release process. Additionally, segregation of duties ensures the right eyes at the right time in the process, preventing oversight more likely with self-approval and self-review processes.
Audit tracking and reporting without automation is especially tedious and time-consuming. With the proper custodian of change in place, this is highly automatic, and eliminates manual exercises for change information.
And finally, having a robust SAP DevSecOps pipeline enables connectivity to software change and processes typical across the rest of the enterprise. Coordinating change across solutions and ensuring change is thought of as a system-wide event helps reduce errors and oversight due to discontinuous design considerations, and allows the team to plan business change, not just technical change.
Why you need DevSecOps automation
The benefits of DevSecOps automation are significant. Firstly, it enables teams to rapidly respond and deliver changes to SAP when security issues arise, or critical operational changes need to happen fast. Having these processes and tools in place allows teams to deliver those changes on-demand without sacrificing quality. All the rigor around control and governance, quality checks and approvals still happen, they just happen automatically.
DevSecOps allows SAP teams to be more proactive in defending against security risks as well. As most of us know, applying changes to SAP, especially large changes or updates, typically means we must freeze all but the most critical changes out of our SAP environment. The answer to this would be to have multiple parallel development tracks, but that’s not financially feasible for many organizations. Those that are running N+n landscapes are trying to avoid introducing regressions into Production once changes are released.
ActiveControl eliminates these challenges because it automatically handles any retrofitting needed and ensures that your production and development tracks stay in sync the whole time. This allows SAP teams to keep their systems up to date and secure at a significantly lower cost to the business, so they are no longer forced to pick and choose which updates or patches to apply.
DevSecOps is vital to the security of SAP systems and it’s easy to implement for most organizations because it’s a natural evolution from many of the DevOps practices already in place. The key to bringing it into SAP is having the right automation tool like ActiveControl. It empowers teams to significantly reduce the effort, time and cost of delivering changes to SAP, making it easy to build greater security across the landscape.