In this second installment of the four part webinar series on Secure Design, Brook Schoenfield will offer effective, proven DevOps security strategies.
A common myth of DevOps is that activities like architecture may be jettisoned in favor of automation. But, architecture requires human analysis; currently there is no automated substitute.
A key part of architecture and design will be security thinking. Security thinking will be based in threat modeling. An examination of the integration of security activities, and especially threat modeling into the DevOps cycle is critical to implementing security in a DevOps loop.
There’s “SecDevOps,” “DevSecOps,” DevOpsSec,” and just plain old security for DevOps. You might very well be confused? Software developers and security people haven’t been able to settle on a term, much less what it all means in practice. Many shops have developers who declare that security is too cumbersome for DevOps. At the same time, those charged with application security try for control of the DevOps chain. These positions are based in myths and misunderstandings; they lead to unnecessary friction.
Security practices benefit from a DevOps mindset, and the automation and code that results. But first, myths must be busted: there is no inherent antipathy between security and DevOps, even DevOps requires plans and structure; and security improves through iteration of bite-sized chunks.