DevOps

Recommendations

Info

Security industry conferences and articles in the trade press are fond of harping on the broken IT security model. They point to growing breach statistics, embarrassing configuration and patch management practices, and mounting vulnerability exploits as ample evidence of the problems plaguing infosec. It’s easy to point out problems, but what about solutions? Interestingly, as scary as DevOps may be to the typical security pro, its fast iterations and continuous delivery patterns may be just the solution to fixing what’s broken in today’s security model. “Security pros need to understand that this is the future of IT and of IT security,” says Rich Mogull, analyst and CEO at security analyst firm Securosis. “I see DevOps doing nothing but improving security when done right. Not only is software going to be more secure, but if you learn from these techniques it can help you get your day-to-day security more efficient.” But the devil is in the details. What exactly does it take to do it right? How can security operate within the DevOps context in order to ensure a more sustainable and less risky continuous delivery value chain? The complete answers to those questions are still being written. But the innovators in the security and DevOps communities are finding early success with a number of key practices that contribute to what many security pundits call a Rugged DevOps experience.
Attackers are already using their own form of continuous delivery to overwhelm the good guys. The reason security teams can’t keep up is because the bad guys have already figured out how to use automation and cloud-style technologies to scale up their attacks, says Tim Prendergast, CEO of Evident.io and a long-time DevOps and security practitioner. Predergast is best known for his former role, leading up cloud architecture and security for Adobe. “But the defenders are still relying on this model where you’ve got a person in front of a console,” says Prendergast. “They’re just outgunned and outnumbered, so they have to move into this automation philosophy. They have to make time for renovating their approach and they have to be open to new ideas.” This means getting unstuck from security patterns they’ve settled into for the past 15 or 20 years, says Prendergast. “DevOps is bringing a whole new Understand That Attackers Already Deliver Continuously approach to security to the table that’s actually way better than what we used to be doing,” he says, explaining that security teams will be able to pivot more quickly with attack trends if they learn how to deploy platforms and protection mechanisms in lean, iterative cycles rather than relying on “big-bang releases.” And rather than trying to be a ‘gating factor’ at the tail end of enterprise development, security should be baked into operational practices and automated tooling throughout the development pipeline. “A DevOps team will deploy code and when a bug pops up, they’re very well instrumented to gather telemetry on the bug, get it into repair and turn a fix around the same day and redeploy,” he says. This approach is in contrast to the old model of rolling back the entire deployment on the hunt for a pristine deployment, delaying necessary features for the sake of a whole list of bugs that may take days or weeks to take care of. What is Rugged Software? “Rugged” describes software development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure, and resilient software. —From www.ruggedsoftware.org
Page 1: RUGGED DevOps: 10 WAYS TO START EMB
Page 5 and 6: DevOps cycle times can seem impossi
Page 7 and 8: Coming to a mutual understanding co
Page 9 and 10: AT THE SPEED PEOPLE WANT TO MOVE, R
Page 11 and 12: Improve application quality and per
Page 13 and 14: help speak in the universal languag
Page 15 and 16: Take Advantage of “Accidental”

DevOps

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?