As the infosec community catches up with the spirit of the DevOps movement, many CISOs and IT security leaders still need guidance on how to make the paradigm shift. Not only are these security folk scratching their heads to figure out the additional risks posed by continuous delivery, but they’re also learning how DevOps can […]
Deputizing Everyone for Security – Building Agile Assurance
Those of us highly focused on the delivery pipeline of DevOps will wonder why we should include the security guy to the party. After all, aren’t they just going to slow down the process and make it harder to deliver good features to end customers? My prior post about introducing SecDevOps by example was not […]
Security in the operational relay race
If you’ve ever seen people run a relay race, you’ll notice that most of the risk happens when the baton is handed from one runner to the next. In IT processes, there is also dramatically increased risk during handoffs. Whether you’ve moving from one process phase to another, one “owner” to another, or one environment […]
Security automation with DevOps: show me the code!
Last week Andrew Storms put up a good post hinting at the promise of security automation in [SecDevOps: Security Automation By Example – The Firewall Change]. He included an example of automating a series of actions when a firewall rule is changed. It’s a good article, although I’m increasingly convinced there’s no such thing as […]
Security and DevOps showdown
George Hulme’s article on proceeding with caution on DevOps implementation offers some advice from a few well known security experts. Article here vs. Alan Shimel says today’s speed of business isn’t compatible with :go slow”. Security people have to understand that DevOps is our last best hope. But in order to have DevOps […]
DevOps: Security’s last best hope
Help us Obi Wan! The fact is that DevOps is security’s last best hope. The sooner the security industry realizes it the better it will be for everyone. I read George Hulme’s story today about proceeding with caution and going slow with DevOps. Of course it was no surprise to me that those cautioning to […]
DevOps: Caution Ahead
Despite the continued adoption of enterprise DevOps practices, some organizations, especially those in highly-regulated industries remain cautious about moving forward too quickly. “There’s no doubt that DevOps brings benefits for some organizations,” says Martin Fisher, director of information security at Atlanta-based WellStar Health System. “However, many pushing for DevOps underestimate the amount of technological and […]
Q&A: Speaking DevOps and Threat Modeling with the author of Threat Modeling: Designing for Security
If you want to understand how to threat model systems and applications in most any environment you turn to someone who has done so. That’s why we took 30 minutes to speak with Adam Shostack. Adam is responsible for security development lifecycle threat modeling at Microsoft and he is one of the very few threat […]
Programmability in the Network: Stop a Bleeding Heart…
It is not often the case that a security vulnerability can get the entire Internet talking. And not just the security community on the Internet, but everyone. End-users and IT alike are looking for answers and trying to mitigate Heartbleed. It has its own web site and logo. It’s that big of a deal. Many service providers have […]
Continuous integration for better security
One of the big advantages to smaller deploys and continuous integration is that it can make it easier to provide more proactive security. In short, continuous integration (and the associated automated testing it enables) makes it easier to focus your security team on analyzing areas where the security risk is higher. If the notion of […]