BSides Springfield Preview: How To DevOps (While Sneaking in Security)
As companies embrace the DevOps phenomenon in hopes of producing applications at a faster rate, they are also introducing insecure software into the digital ecosystem.
DevOps, itself, is a software lifecycle movement which blends developmental and operational tasks together to accelerate application-building in a quick, clean, and repetitive manner for faster time-to-market.
In DevOps environments, up to 500 software changes can be deployed each day, much faster than applications produced using more traditional methodologies such as Waterfall. But with this speed, companies are challenged to integrate security into their DevOps pipeline and produce quality software.
Traditional security tasks, such as third-party penetration testing, maintenance patching, and quarterly software upgrades, do not fit well within the DevOps process due to their slower pace. As a result, vulnerable applications are deployed which, when exploited, lead to regulatory fees, poor publicity, and reputation damage.
Many organizations wish to embed security processes and controls into the DevOps flow but must do so with little-to-no intrusion. There are social and technical changes required to achieve this goal.
The first requirement for baking security into the DevOps pipeline is corporate culture change. This cultural shift goes beyond the writing of security policies thrust upon departments like draconian edits.
Top executive management must understand and agree to the value security adds to the software they deliver to their customers. The agreement and understanding are demonstrated in actions and power given to development teams. For example, dev teams must be provided with project tasks and time allocation for security-related tasks.
Instead of viewing security errors differently, vulnerability fixes must be handled with the same rigor and treatment as any other functionality bug.
The second requirement includes an internal application security team integral to the construction of the software. This team composition can be security professionals alongside programmers who (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/devops/how-to-devops-while-sneaking-in-security/