Professional Documents
Culture Documents
5
FIVE PRINCIPLES FOR
Securing
DevOps
INTRODUCTION
DevOps, a new organizational In fact, there are sound business reasons
for executives to embrace these changes.
and cultural way of organizing
development and IT operations
work, and its sister technologies,
continuous integration and
continuous deployment
(CI/CD), have transformed
the way we create software.
And there is widespread evidence that A recent study shows that firms with
DevOps practices, despite their substantial high-performing IT organizations
organizational, cultural and technological are twice as likely to exceed their
requirements, are spreading rapidly. profitability, market share and
productivity goals.
Forsgren, N., J. Humble (2016). “DevOps: Profiles in ITSM
Performance and Contributing Factors.” In the Proceedings
of the Western Decision Sciences Institute (WDSI) 2016,
Las Vegas, NV. Available at SSRN: ssrn.com/abstract=2681906
Requirements
principles for securing DevOps:
5. Keep Operational
Visibility
1
API
2
of the pipeline, or only on builds
There are several ways to address
that make it to a certain stage of
this requirement, for instance:
release candidate qualification.
• Scan small units of code so that
In addition, you don’t need to stop
results can be returned within
at integrating with the pipeline.
the latency tolerance of the
The best way to catch software
existing process in the pipeline.
defects quickly is to introduce tests
• Allow the pipeline to kick off that run as close to the developer
tests and feed the results into as possible — for example, with
the backlog of the development quick-running tests triggered on
team outside of the pipeline, check-in or even as pre-check-in
essentially conducting the full gates. You can also allow developers
application test in parallel. to quickly test from the IDE.
No False Alarms
As the industry has learned, a technology that reports too
many false positives will be ignored and will fail to be adopted.
This is doubly true in CI/CD, where a failed security test
may stop a critical business function from being delivered
to production — or a critical patch from being released.
That may be tolerable if the security issue is real, but
is completely intolerable if the finding is a false positive.
4
PRINCIPLE FOUR
Visibility
5
1 2 3
TO ENABLE THE TO CATCH EXCEPTIONS. TO DETECT AND
TEAM TO DEPLOY PROTECT AGAINST
FASTER. There will be cases when
AN ATTACK.
an application gets to
The business may Operations needs
production without going
choose to trade full visibility into potential
through the automated
application security security issues in
pipeline, or when a
testing for faster deployed software so
misconfiguration results
deployment and, that they can drive a
in a vulnerable application.
therefore, rely on quick response.
These cases make
the ability to test
discovery and testing
after deployment
of web applications in
and quickly update
production critical.
if an issue is found.
Many organizations are 1 Have you rearchitected 4 Are you practicing trunk-
your applications for based development, or do
at the earliest stages of microservices, or is that you still practice release and
considering how to integrate work still in progress? feature branching?