What to Do and What to Avoid When Implementing Security in the DevOps Lifecycle

DevOps is redefining the way organizations handle software development. But it’s also challenging security professionals in their efforts to manage digital risk. With that said, there are security teams need to be strategic about how they approach DevOps security.

Here are some expert recommendations on what to do and what to avoid when implementing security in the DevOps lifecycle.

What are some tips that folks should do when implementing security in the DevOps lifecycle?

Kim Crawley, Cyber Security Writer | @kim_crawley

Things won’t be looked after without responsibility, and no one can take responsibility without accountability. At the beginning of a software development project or product, make sure that all roles and responsibilities are clearly and concisely delegated to each individual who is involved.

Per Beta News, nearly half of people who work in DevOps say that establishing clear ownership and responsibility is a challenge when it comes to implementing security. And security must be integrated into each and every stage of the DevOps lifecycle.

Leigh Honeywell, CEO at Tall Poppy | @hypatiadotca

Bring security to where people are already working. Make it easy to kick off security processes within the tools your engineers are already using.

We did this in my previous role at Slack, and it was essential to scaling up.

Anthony Israel-Davis, Senior Manager, R&D at Tripwire | @anthony_id

The great thing about DevOps is that it automates and streamlines a lot of the traditional stage gates, but those stage gates are still critical controls from both a security and compliance standpoint. Separation of duties is still important, and the pipeline can take what used to be manual hand-off points and build those into an automated process. Triggering a deployment, functional and quality testing, and deployment should all be access-controlled where appropriate and be gated by workflows to (Read more...)