CSO Survival Guide: Securing DevOps

A number of the most important stories you need to read for securing DevOps

In the past few years, DevOps has moved from a niche approach to application development to an enterprise strategy that stands front and center in organizations today.

And the move to DevOps is happening quickly, and information security practitioners often feel they are being pulled along, reluctantly, for the ride. All of this is happening while the foundation of enterprise IT more rapidly shifts from on-premises to cloud and as the nature of development shifts to continuous integration and and continuous deployment. And so is the very nature of application quality and security testing becoming more scripted, continuous, and automated.

The research firm Gartner estimates that DevOps is currently in place at about 25 percent of Global 2000 enterprises this year. The benefits they hope to reap from the move to DevOps include more agile and responsive development teams and faster time to market. This is because DevOps helps enterprises to clear app clutter through this increased use of automation, standardization, and collaboration.

The challenge for information security teams is ensuring that all of the best security practices and controls that they’ve been able to instill into their development methods follows along in the transformation. And there is good news on that front: DevOps is an opportunity to automate a lot of those tests throughout development, and build security design and proper engineering into the development lifecycle in ways that wasn’t possible before. By automating security and regulatory compliance tests throughout development, deployment, and throughout production security reaches a level that many security pros have been clamoring for years to attain.

That’s the DevOps security promise, anyway.

Although there is no guarantee that reality will match that promise. Only time will tell. The difficulty, however, is that enterprise culture and instilled processes change slowly in large organizations, where it places enormous strain on IT, developers, and information security teams. And when there is strain, things get skipped or bypassed altogether. When it comes to security that’s certainly no good. With all of that in mind, we’ve created this DevOps Security Survival Guide.

Here are a number of our best, handpicked stories that tackles the important topic today of security in a DevOps enterprise:

Does DevOps hurt or help security?

Naysayers contend DevOps weakens security, others say DevOps enhances security.

Defending DevOps

DevOps promise increased collaboration and enterprise IT agility. But what does that mean when it comes to regulatory compliance? There’s a new effort underway with an answer.

Rugged DevOps: In search of the defensible infrastructure

DevOps moves too fast to build security into the process, some say. Not true, say others who believe one just needs to get a little Rugged.

How to maintain security in continuous deployment environments

If you wait till tomorrow to secure what continuous deployment took live yesterday, hackers will infect your application today!

How security can add value to DevOps

Gene Kim, award-winning entrepreneur, researcher and founder of security firm Tripwire, walks us through his vision.

Agile doesn’t (necessarily) mean fragile

Speedy, frequent updates and changes to infrastructure doesn't necessarily mean quality assurance is being forgone in favor of agility.

Moving toward smart and secure continuous software delivery

Experts contend continuous software integration and delivery practices can boost secure coding practices.

For containers, security is problem #1

It may take a disaster or two for the lessons of needing to do security right sink in. Only then will containers be ready for prime time.

A video interview with Gene Kim and Josh Corman on Rugged DevOps

David Spark interviews Gene Kim (@realgenekim), president of IT Revolution Press and Joshua Corman (@joshcorman), director, security intelligence for Akamai Technologies, about IT at “ludicrous speed” with Rugged DevOps.

Join the CSO newsletter!

Error: Please check your email address.

Tags Devops

More about AgileAkamai TechnologiesGartnerTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts