DevOps aims to shorten feedback loops and allow teams to quickly iterate on changes and ship features. However, continuously deploying changes also introduces security risks that must be monitored. SecDevOps seeks to address this by continually monitoring the security implications of operational changes, improving security response times while still allowing for continuous deployment. Implementing continuous security through a SecDevOps methodology is an important challenge that companies need to solve in order to fully benefit from DevOps practices.
HTML Injection Attacks: Impact and Mitigation Strategies
The Case For Continuous Security
1. THE CASE FOR
CONTINUOUS SECURITY
By Pete Cheslock
Senior Director of Ops and Support at Threat Stack
@petecheslock
2. DevOps is a term that has absolutely
blown up in the last 5 years.
3. However, many had an immediate adverse
reaction towards Yet Another Buzzword
4. …especially when the core concepts of
“DevOps” were things people
had been doing for YEARS!
5.
6. To shorten the feedback loop
in development cycles,
allowing teams to iterate quickly on changes
and ship features to customer sooner.
The Core Tenant of DevOps
15. Junior sysadmins can now make changes to:
!
• a Chef Recipe
• a Puppet Manifest
• an Ansible Playbook
!
!
…and deploy it to production — in minutes…
Today…
17. to be slowed down by the security team
!
or
!
configuration management changes to be
passed through a Change Control Board
Sysadmins DON’T Want:
18. to change a variable, open a pull request,
and once merged, their operational
tooling to do the rest!
!
They want their change
to hit production servers ASAP.
Sysadmins Want:
19. This is where SecDevOps (or SecOps) comes in.
(ignore the fact that it’s a silly buzzword just like DevOps…)
20. If DevOps seeks to value empathy
between these two teams that traditionally
had different incentives for their positions…
Developers Operations
value constant change value stability
21. …then SecDevOps seeks to evoke the SAME outcome
with Security teams
(and the rest of the business)
22. If you’re continually deploying changes,
you must be continually monitoring
security implications for operational changes.
23. Often times there is no single person that is able
to say with absolute certainty which changes to
infrastructure have additional risks towards your
security posture.
24. And, if you have a
traditional network security organization
that manually reviews and approves changes to production…
!
!
You’ve introduced the newest bottleneck in your organization.
!
!
!
!
!
!
25. A SecDevOps methodology allows you to
improve your security monitoring
and response times, while maintaining
your ability to continually
deploy changes
SecDevOps is the answer to this discussion.
26. This is the most important (and exciting!) problem
to solve in many organizations!
27. But it is also one of the hardest problems to solve.
!
This is why at Threat Stack, we’re all excited
to be in a unique position to actively
help companies solve this.