Security should be built into every part of the DevOps lifecycle, including inception, design, build, test, release, support, maintenance, and beyond.



This model of security in DevOps is often called DevSecOps.

DevSecOps aims to improve security through shared responsibility with all stakeholder and improved collaboration between team, overlaying the entire DevOps workflow.

In this interesting article on TripWire's The State of Security, Sai Nikesh D show us eight key prerequisites that are mandatory in order to successfully integrate security into DevOps process:

1. Security should be application-centric

...applications are something that represent and run your customer and partner-facing operations. So, building an application-centric security mechanism is very important considering the growing volume of apps, frequency of updates/changes to the existing apps, increased connectivity involving multiple partners across the enterprise and more.

2. Security should be accurate and perfect

Every team involved should be aware of potential security threats. Enforce strict policies for effective implementation if required but make sure not to increase complexities.

3. Security should be on record

A perfect program management plan helps achieve this goal by ensuring that security is in place and all the required specifications are perfectly documented and met.

4. Security should be customizable or personalized

Teams should clearly understand exceptions and necessary measures to be taken.

5. Security should be at high speed

However, it should not be in a position to take over or slow down the front-end process in a DevOps process chain

6. Security should be scalable

It should be scalable enough to deal with unexpected/sudden errors that can arise out of fast-paced development process.
‘Security-as-code’ works well for driving innovation.

7. Security shouldn’t be a hurdle for developers

That should, in fact, support developmental efforts as the Dev teams moves forward in the process chain.

8. Security should be a well-balanced factor

The core job of security is effective management of risks. That’s why the security teams should be integrated into the DevOps process.


References