In the past few years, DevOps has moved from a niche approach to application development to an enterprise strategy that stands front and center in organizations today.
And the move to DevOps is happening quickly, and information security practitioners often feel they are being pulled along, reluctantly, for the ride. All of this is happening while the foundation of enterprise IT more rapidly shifts from on-premises to cloud and as the nature of development shifts to continuous integration and continuous deployment. And so is the very nature of application quality and security testing becoming more scripted, continuous, and automated.
[ ALSO ON CSO: CSO's Incident Response Survival Guide ]
Research firm Gartner estimates that DevOps is currently in place at about 25 percent of Global 2000 enterprises this year. The benefits they hope to reap from the move to DevOps include more agile and responsive development teams and faster time to market. This is because DevOps helps enterprises to clear app clutter through this increased use of automation, standardization, and collaboration.
The challenge for information security teams is ensuring that all of the best security practices and controls that they’ve been able to instill into their development methods follows along in the transformation. And there is good news on that front: DevOps is an opportunity to automate a lot of those tests throughout development, and build security design and proper engineering into the development lifecycle in ways that wasn’t possible before. By automating security and regulatory compliance tests throughout development, deployment, and throughout production security reaches a level that many security pros have been clamoring for years to attain.
That’s the DevOps security promise, anyway.
Although there is no guarantee that reality will match that promise. Only time will tell. The difficulty, however, is that enterprise culture and instilled processes change slowly in large organizations, where it places enormous strain on IT, developers, and information security teams. And when there is strain, things get skipped or bypassed altogether. When it comes to security that’s certainly no good. With all of that in mind, we’ve created this DevOps Security Survival Guide.
Here are a number of our best, handpicked stories that tackles the important topic of security in a DevOps enterprise:
Naysayers contend DevOps weakens security, others say DevOps enhances security.
DevOps promise increased collaboration and enterprise IT agility. But what does that mean when it comes to regulatory compliance? There’s a new effort underway with an answer.
DevOps moves too fast to build security into the process, some say. Not true, say others who believe one just needs to get a little rugged.
If you wait till tomorrow to secure what continuous deployment took live yesterday, hackers will infect your application today!
Gene Kim, award-winning entrepreneur, researcher and founder of security firm Tripwire, walks us through his vision.
Speedy, frequent updates and changes to infrastructure doesn't necessarily mean quality assurance is being forgone in favor of agility.
Experts contend continuous software integration and delivery practices can boost secure coding practices.
It may take a disaster or two for the lessons of needing to do security right sink in. Only then will containers be ready for prime time.
A video interview with Gene Kim and Josh Corman on Rugged DevOps
David Spark interviews Gene Kim (@realgenekim), president of IT Revolution Press and Joshua Corman (@joshcorman), director, security intelligence for Akamai Technologies, about IT at “ludicrous speed” with Rugged DevOps.
This story, "CSO Survival Guide: Securing DevOps" was originally published by CSO.