ISSA-LA Security Summit XII

There’s “SecDevOps”, “DevSecOps”, DevOpsSec”, and just plain old security for DevOps. You might very well be confused? Software developers and security people haven’t been able to settle on a term, much less what it all means in practice. Many shops have developers who declare that security is too cumbersome for DevOps. At the same time, those charged with application security try for control of the DevOps chain. These positions are based in myths and misunderstandings; they lead to unnecessary friction. Security practices benefit from a DevOps mindset, and the automation and code that results. But first, myths must be busted. There is no inherent antipathy between security and DevOps. Even DevOps requires plans and structure. And security improves through iteration of bite-sized chunks.

A common myth of DevOps is that activities like architecture may be jettisoned in favour of automation. But, architecture typically requires at least some human analysis. A key part of architecture and design will be security thinking. Security thinking will be based in threat modeling. An examination of the integration of security activities, and especially threat modeling into the DevOps cycle is critical to implementing security in a DevOps loop.

Join Author and Master Security Architect, Brook S.E. Schoenfield, to learn about effective, proven DevOps security strategies.