It’s hardly a controversial statement to say that DevOps is changing the way that organizations build and deploy applications. There’s plenty of material, stories, whitepapers and whole companies that demonstrate this trend. There are, however, a couple of things that make a discussion about security and DevOps important.
First, while there are a lot of organizations that have adopted DevOps tools and processes, there are many, many more that haven’t. That means that there are a lot of organizations that will do so in the future. And where there is adoption, it’s not necessarily comprehensive. It may be that one group has done so, or that teams are using some tools, but not others. In other words, DevOps is still fundamentally an early-stage technological movement.
The second reason is that DevOps is set to transform security, and no one is quite sure what that means, though there are a lot of opinions on the topic. Given that context, what should we be doing to secure this brave new world? We should start by looking at the pervasive industry problems. It’s tempting to start any DevSecOps discussion with technology. There’s a lot of it, and there’s always something new. But DevOps is really about solving a business problem, and so we should stay a level above the technology, at least for a bit.
Problem 1: Unacceptable Risk
A typical DevOps lifecycle involves pre-deployment testing, but rarely scanning for risks such as vulnerabilities, misconfigurations and compliance. It’s important to talk about risk broadly because all of these elements are real and can have a real impact on an organization. It’s tempting to focus on vulnerabilities, and it’s tempting to state that they all need to be fixed, but the reality is that ‘risk’ is broad and acceptance is organizationally specific. If (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tim Erlin. Read the original post at: https://www.tripwire.com/state-of-security/devops/security-quality-devops/