Are your DevOps and Security teams friends or foes?

Editor's Notes

• #6: DevOps is an engineering methodology for streamlining app development If something needs to be done more than once – automate it!
• #7: Git: Developers cooperate and communicate through this platform Jenkins: the main pivot
• #11: No config changes after deployment
• #15: Organizations are under constant pressure to innovate and remain competitive, while reducing costs. This has driven business leaders to push for digital transformation, often powered by cloud-native platforms and DevOps practices that boost business agility. Security teams, however, have been left behind – forced to rely on tools and practices that were not designed for cloud and agile environments. As a result, organizations have had to trade agility for security.
• #16: How did we get here? Traditionally, applications were built on top of infrastructure – both physical and virtual – and security teams had standard practices for provisioning, managing and operating the infrastructure. Applications took months, sometimes years to build and might get updated only a handful of times each year. For the most part, security teams could keep pace with new app deployments and change requests. <CLICK> But over the past several years, developers have turned to public clouds for rapid provisioning and organizations have adopted DevOps practices that automate application build, test and deployment cycles. <CLICK> We still build applications, of course, but they’re no longer monolithic or dependent upon infrastructure. <CLICK> Instead applications are composed of several small or micro services. This enables developers to add new services and change existing services faster than ever before. In fact, updates that used to happen every few months now happen multiple times a day! Traditional IT and security practices are not setup to handle the scale or pace of change that cloud enables.
• #17: The adoption of cloud-native platforms and DevOps practices also impacts traditional roles and responsibilities. For example, developers focused on building applications while IT managed infrastructure provisioning and security. In the new world, developers build applications based on microservices – some of services are custom built, while others are provided by the cloud platform. Meanwhile, DevOps teams have taken responsibility for management of cloud infrastructure and services. However, when it comes to security most organizations are left vulnerable. DevOps are not security specialists and may not properly address security and compliance requirements. At the same time, IT security rarely has access, visibility or control of cloud-native environments.
• #19: Don’t define the low-level SGs and forth – define guardrails using tags Ideally – define a unified policy across everything
• #20: We don’t own the infrastructure Developers deploy the full stack including security configuration We can’t use IP addresses for segmentation Everything should be automated
• #23: Add automated security testing in the CI/CD pipeline Work in the pipeline with the developers to test, assess, audit and block! Build and test: Identify malicious and vulnerable dependencies Add security tests Deploy: Ensure compliance before production (for both code and configuration!) Operate: Swap out misbehaving components (e.g., a container)
• #24: Add automated security testing in the CI/CD pipeline Work in the pipeline with the developers to test, assess, audit and block! Build and test: Identify malicious and vulnerable dependencies Add security tests Deploy: Ensure compliance before production (for both code and configuration!) Operate: Swap out misbehaving components (e.g., a container)