Disciplined Agile

Security Strategies for DevOps

There are several security strategies that support Disciplined DevOps:

  1. Build “rugged software.” Rugged software is a recent movement in the IT industry that recognizes the need for robustness, quality and security. An implication of this is that software-based solutions should have appropriate security control features built in, including but not limited to access control, monitoring, validated input, and sanitized data transfers.
  2. Automated separation of duties (SoD). The need for regulatory compliance, particularly around security, is very common. Standards such as Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001 typically require separation of duties (SoD). Although much is made of the issue that the person who develops something should be different than the person who deploys, a continuous deployment (CD) strategy where things are deployed by your tools (and appropriate logging occurs) can still pass a compliancy audit. In fact, this level of automation tends to provide better SoD control than what you find when people are involved with manually running scripts.
  3. Collaborative security engineers. As with other enterprise IT staff — such as enterprise architects, asset engineers, or data managers — security engineers can and should collaborate closely with the teams they support. They should actively strive to transfer their skills and knowledge whenever they can so as to enable teams to be as self-sufficient as possible.
  4. Exploit testing. Also known as penetration testing, the goal is to simulate common ways that attackers can exploit potential security gaps. It is common to have such testing tools as part of your continuous integration (CI) strategy.
  5. Real-time security monitoring. Your operational systems should be monitored in real-time for potential attacks/exploits. This is an important aspect of your operational intelligence.