In early August, I will be leading a couple of sessions at the Community College Cyber Summit about cyber security fundamentals. I’ve also been spending time working with my amazing colleagues here at Tripwire on a really cool new offering for DevOps pipelines – Tripwire for DevOps (learn more here). Spending so much time going back and forth from “back to basics” and “the future of development” had me thinking that securing DevOps is really Back to the Future.

There have been a number of great posts about DevOps here on the State of Security, including two posts focused specifically on securing the DevOps pipeline. This post takes a different angle on securing DevOps by looking at DevOps in exactly the same way we look at cyber risk in traditional environments. It turns out the same principles and practices apply and can be implemented without getting in the way of DevOps agility. After all, one of the main advantages of DevOps is rapid development and deployment; anything that gets in the way of that could be seen as an impediment. So let’s get back to the future with those basics.

Risk Reduction in DevOps Practices

Risk is the likelihood that something bad will happen and result in a loss to the organization. There are a lot of things that can go wrong when developing software, some more likely than others, and each has more or less impact. Security controls reduce risk — both the likelihood and impact of something going wrong — but controls come at a price, and that price is often speed. It’s easy to assume that a philosophy that values speed and rapid iteration will come into conflict with one that seeks to limit risk. Speed isn’t the only tenet of DevOps, however. No developer (Read more...)