In most organizations, information security concerns are one of the most frequent objections against DevOps adoption. And yet, DevOps methodology is one of the best techniques to deliver world’s most secure systems.
In many organizations, perhaps in your organization too, the ratio of information security specialists over entire software engineering team is 1/100. In other words, in a software engineering team with 100 people you usually find only one single information security specialist. This results in long lead times to get any software security related problems resolved, delays of software deliveries and even worse sub-optimal level of information security for your clients.
If you have learnt one single thing from your software delivery experience, this must be that showstoppers at the end of projects are bad, but showstoppers related to security issues are even worse. Therefore, every single member of your DevOps team should embrace information security part of daily engineering work, rather a checkbox ticked (or unticked) in the end of your projects.
In order to ensure an information security issue does not become a showstopper and bottleneck just before your software deployment, involve information security specialists in early stages of your software engineering process. You invite them to demonstrations, early planning and review sessions, so they get a feeling about business your software is associated with. In this way they can better judge potential information security risks and issues, so they support your DevOps team to define information security and compliance goals that must be handled during the course of your software engineering process.
You and your DevOps team need to track security features as well as security incidents with your standard task planning and incident management tools instead of dumping them to compliance management tools which your DevOps team doesn’t pay much attention to. Whenever there is an information security related issue in your software architecture, design or running systems, educate your DevOps team about these issues. Make them comprehend root causes of these problems and how they should think and approach similar situations in the future in order not to recreate the same issue.
In terms of information security, tactical approach of your DevOps team is:
By building such reusable assets, your DevOps team should standardize information security aspects of your software in various critical dimensions such as:
In this chapter you have been provided some recommendations about DevOps’ way of information security. Information security by itself is an art and science, so the approach articulated in this chapter doesn’t meant to make you an information security expert, but to explain you how DevOps software development and delivery methodology approaches information security.
It is evident that DevOps empowers and very well integrates information security and compliance goals of your organization to the daily work of your DevOps engineers by making information security everyone’s job in your organization. World’s most dynamic companies have already proven that this is a safe way to securely serve your clients.