https://www.techtarget.com/searchsecurity/tip/Secure-DevOps-Inside-the-five-lifecycle-phases
DevOps and cloud computing are radically changing the way organizations design, build, deploy and operate online systems. According to the latest SANS application security report, 43% of organizations are now delivering changes to production on a weekly, daily or continuous basis.
With the increasing rate of change, traditional approaches to security can't keep up. Therefore, security, IT and risk professionals are left struggling to figure out how they can reduce risk in a DevOps world.
In the quest to reinvent security in DevOps -- also known as secure DevOps -- figuring out where to begin is the most difficult part. To help security professionals get started, the SANS security community created a visual aid that breaks down each phase of the continuous integration and continuous delivery process.
The new "Secure DevOps Toolchain" infographic identifies the key tools and processes to help organizations transition to secure DevOps. The five phases of the secure DevOps lifecycle include:
The "Secure DevOps Toolchain" infographic identifies many free, open source tools in each of the above phases to help security professionals transition to secure DevOps; for example, security scanners and compliance checkers from Amazon Web Services, Microsoft Azure, HashiCorp, Netflix, Etsy, Capitol One and many others in the open source community. The infographic also includes the "Securing Web Application Technologies (SWAT) checklist to help raise security awareness during software development.
DevOps is the future of development, so making secure DevOps the future of enterprise security programs is crucial. Education, information sharing and collaboration will play key roles in helping developers, operations and security professionals build and deliver secure applications.
About the authors:
Eric Johnson (@emjohn20) is a principal security consultant at Cypress Data Defense where he leads secure software development lifecycle consulting, web and mobile application penetration testing, secure code review assessments, static source code analysis, security research, and security tool development. Johnson is a certified instructor with the SANS Institute where he authors application security courses on DevOps, cloud security, secure coding and defending mobile apps.
Frank Kim (@fykim) is a curriculum director at the SANS Institute and founder of ThinkSec, a security consulting and CISO advisory firm. Previously, as CISO at the SANS Institute, Kim led the information risk function for the most trusted source of computer security training and certification in the world. In his new role at SANS, he continues to lead the management and software security curricula, helping to develop the next generation of security leaders.
20 Mar 2018