CSO Survival Guide: Securing DevOps
And the move to DevOps is happening quickly, and information security practitioners often feel they are being pulled along, reluctantly, for the ride. All of this is happening while the foundation of enterprise IT more rapidly shifts from on-premises to cloud and as the nature of development shifts to continuous integration and continuous deployment. And so is the very nature of application quality and security testing becoming more scripted, continuous, and automated.
[ ALSO ON CSO: CSO's Incident Response Survival Guide ]
Research firm Gartner estimates that DevOps is currently in place at about 25 percent of Global 2000 enterprises this year. The benefits they hope to reap from the move to DevOps include more agile and responsive development teams and faster time to market. This is because DevOps helps enterprises to clear app clutter through this increased use of automation, standardization, and collaboration.
The challenge for information security teams is ensuring that all of the best security practices and controls that they’ve been able to instill into their development methods follows along in the transformation. And there is good news on that front: DevOps is an opportunity to automate a lot of those tests throughout development, and build security design and proper engineering into the development lifecycle in ways that wasn’t possible before. By automating security and regulatory compliance tests throughout development, deployment, and throughout production security reaches a level that many security pros have been clamoring for years to attain.
That’s the DevOps security promise, anyway.
Although there is no guarantee that reality will match that promise. Only time will tell. The difficulty, however, is that enterprise culture and instilled processes change slowly in large organizations, where it places enormous strain on IT, developers, and information security teams. And when there is strain, things get skipped or bypassed altogether. When it comes to security that’s certainly no good. With all of that in mind, we’ve created this DevOps Security Survival Guide.
Here are a number of our best, handpicked stories that tackles the important topic of security in a DevOps enterprise:
Does DevOps hurt or help security
Naysayers contend DevOps weakens security, others say DevOps enhances security.
DevOps promise increased collaboration and enterprise IT agility. But what does that mean when it comes to regulatory compliance There’s a new effort underway with an answer.
Rugged DevOps: In search of the defensible infrastructure
DevOps moves too fast to build security into the process, some say. Not true, say others who believe one just needs to get a little rugged.
How to maintain security in continuous deployment environments
If you wait till tomorrow to secure what continuous deployment took live yesterday, hackers will infect your application today!
How security can add value to DevOps
Gene Kim, award-winning entrepreneur, researcher and founder of security firm Tripwire, walks us through his vision.
Agile doesn’t (necessarily) mean fragile
Speedy, frequent updates and changes to infrastructure doesn't necessarily mean quality assurance is being forgone in favor of agility.
Moving toward smart and secure continuous software delivery
Experts contend continuous software integration and delivery practices can boost secure coding practices.
For containers, security is problem #1
It may take a disaster or two for the lessons of needing to do security right sink in. Only then will containers be ready for prime time.
A video interview with Gene Kim and Josh Corman on Rugged DevOps
David Spark interviews Gene Kim (@realgenekim), president of IT Revolution Press and Joshua Corman (@joshcorman), director, security intelligence for Akamai Technologies, about IT at “ludicrous speed” with Rugged DevOps.