DevOps and traditional security seem to be at odds with one other. But it doesn’t have to be that way. You can make security a part of your DevOps process without sacrificing agility or security. First, let’s define what DevOps is. Let’s then look at how it combines with security to create DevSecOps.
DevOps: A Working Definition
So, what do we mean by “DevOps”? The name itself implies a combination of “development” and “operations,” but it involves a lot more than just sticking two departments together under one umbrella. It is a culture and process that has a lot in common with Agile, only even more extreme in some ways.
Instead of a release schedule measured in months or weeks, a DevOps team may release a new version 10, 50, 100, or more times every single day, with the developers that write the code deploying their own code directly to production. This is made possible by automating every step of the release pipeline.
DevOps teams rely on a variety of tools to help them deploy code faster, and in many cases, they write or extend these tools themselves. Continuous integration tools like Jenkins ensure that every code change results in a completely new product build. Various unit tests and acceptance tests can be run against the new build to verify that no regressions exist in the new build that would cause problems in production.
Configuration management tools like Puppet and Chef allow you to define your server infrastructure as code, so that new servers can be provisioned in minutes instead of days. Performance statistics and the results of experimental A/B tests on users are used as feedback for the next round of improvements, and the cycle begins all over again.
To a traditional IT operations team, the idea of developers (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Bob Thomas. Read the original post at: The State of Security