DevOps needs no introduction when it comes to the world of software development. With streamlining software delivery processes and bringing about an extensive and all-around cultural transformation, DevOps has become a significant aspect of the soul of most software organizations. DevOps has given rise to related approaches such as DevSecOps that further define modern approaches to software delivery. DevSecOps brings together DevOps and security practices to insert testing into the software development process as early as possible and extend beyond security automation.
But even though organizations have adopted DevSecOps and implemented early-stage testing and other security measures, one can never be too sure about cyber threats. One of the best ways organizations can ensure that their systems are functioning as they are supposed to is by tracking relevant metrics. This helps monitor an application’s performance.
In this article, we will touch on some key principles for security in DevOps, and the importance of measuring the right metrics.
Security in DevOps
There has always been a conceptual divide between security and DevOps. This only makes sense as DevOps focuses on rapid, efficient release, and security focuses on fixing vulnerabilities, regardless of how long it takes. But the software development world realized over time that this wasn’t ideal.
A well-oiled IT organization is one where DevOps and security are not mutually exclusive. DevOps and Security should reinforce each other and pursue mutually beneficial goals. This leads to DevOps and security teams creating a common language of shared metrics that each team can leverage to measure individual and organizational progress toward collective goals.
The importance of measuring the right metrics
Measurement is important to process improvement and is a fundamental part of DevOps. Even if an organization is running an effective security program, there is still a need to know what metrics need to be measured. If a team doesn’t know what metrics to measure, they will not be able to successfully and efficiently manage the security of their system. If you measure the wrong metrics, you will only waste precious time without anything useful coming out of it.
Principles for measuring security
Before measuring security, it is important to keep these three points in mind.
a) Measure at the global level
Focus on having security metrics at the organizational level instead of the team level. This helps prioritize business needs over team needs and helps the enterprise achieve its goals.
b) Don’t lose sight of the bigger picture
Don’t spend a significant amount of time focussing on individual security components. This shifts your focus away from recognizing the impact of the individual security components on the entire system.
c) Outcomes vs. outputs
Your work product is not paired with tangible outcomes. This means that only measuring specific outputs provides a false sense of security. Teams should instead focus on each outcome and its overall impact.
Key security metrics to track
While there are several metrics to monitor, here are the four most critical metrics to track security measures within a cloud-based DevOps environment.
1. Deployment metrics
It measures the overall health of the deployment process. Ideally, organizations should strive to deploy on demand. A few deployment metrics examples are frequency, time-to-deploy, and environment configuration drift.
Deployment frequency focuses on how often new code changes, ideas, features, or fixes are deployed to production. Maintaining a high deployment frequency helps deliver bug fixes and new features and receive real-world feedback rapidly.
2. Mean time to repair (MTTR) metrics
It measures the average time an enterprise takes to recover from a failure in production. It focuses on how fast a threat can be fixed and services restored. Recovering from a failure rapidly depends on identifying when a failure occurs and deploying a fix rapidly by continuously monitoring your system’s health.
This is an important metric that helps maintain resiliency and stability. It helps enterprises reinforce the practice of continuous learning and improvement. Organizations should strive to maintain an MTTR of less than an hour or less than a day, depending on the system. Anything over a day indicates poor monitoring and significantly derails the process. Examples of MTTR: time to remediate and time to triage.
3. Lead time metrics
It measures the capacity of an organization to respond to changes. Lead time metrics focus on the time taken to build and deliver requested security features. Organizations should strive to maintain an average lead time of less than an hour.
Lead time metrics help teams understand how effective their processes are, the pace of responding to change requests, and what needs improvement. Lead time metrics include rewording time, cycle time, and time-to-value.
4. Cycle time metrics
Cycle time measures the time taken from when a developer makes a commit to the moment it’s deployed to production. It helps establish baselines for development pipelines and enables one to understand what works best in a development pipeline.
It’s important to remember that you can’t manage what you can’t measure. Being able to track metrics is key to having an efficient security posture. The marriage between DevOps and security provides organizations with the perfect opportunity to leverage DevOps to transform their application security program. That being said, it’s pivotal to understand that failure is inevitable. Trying to eliminate failure entirely can be unrealistic and counterproductive. Therefore, the focus must always be on continuously monitoring your systems and leveraging important metrics to remedy threats and build resilience within the system and within the organization.