| | June 20159CIOReviewthe integration itself. For example, integrating a continuous security assessment technology with Jenkins may not lead to any real benefits when viewed alone. However, for vulnerability and threat detection in your cloud environments, Jenkins can call the API of the assessment technology after every build/deploy cycle to detect new high-risk threats.Failing the build due to undesired new risks is a brilliant use of security patterns in a very DevOps-centric manner. Now the same feedback loop in place for functional test failures carries security insights as well, and proactively blocks dangerous risks from being promoted into production environments. Additionally, IT Security professionals can now receive telemetry data from the deployment process to keep them fully informed. This ultimately results in the business team continuing to hit their delivery dates, DevOps teams gaining a powerful addition to their toolkit, and security professionals achieving the level of risk mitigation necessary to stay ahead of the curve.AutomationAutomation does three things for DevOps teams: enables scalability without adding bodies, increases velocity, and improves reliability through repeatability. We've already seen one example of security automation delivering business value in the Jenkins example above. Another great example of how DevOps organizations can use automation can be seen when Security Acceptance Tests are added to the quality cycle. Technology teams often overlook security state as a source for acceptance criteria, but it is a powerful ally in maintaining the integrity and reliability of our products or services. If the known desired state for security configurations, relationships, and policies can be articulated in plain words, then the validation process can be highly automated. Once the desired security state has been documented, it can be codified in any number of languages and operationalized. Imagine building a series of security validations in Ruby on top of a SDK, and then using those validations in a continuous loop. In highly dynamic environments, like AWS or Azure, this continuous security verification ensures that no undesired changes happen in your application or The (sometimes surprising) truth is, security, despite its reputation for being friction-oriented and risk averse, can make DevOps organizations really fly"infrastructure stacks. These same validations also confirm and document your compliance against your desired security state, providing you a historical audit trail of your own progress towards highly secure cloud computing.IterationIteration is the continuous behavior of reviewing current technology or process, hypothesizing improvements, and then testing those improvements to realize maximum gains. Many people discuss DevOps like it's a one-time effort, but in reality it is an ongoing commitment to improve for the rest of your career. Security is no different.In fact, security is a perfect example of how iteration can be a positive influence. The job of a security professional is never done, as new attacks and threats emerge almost every minute of the day. The overwhelming nature of the industry lends itself well to iterative methodologies, as it is impossible to build a comprehensive security strategy and deploy it in any reasonable time period. Starting small and rapidly iterating your way towards a more refined, sophisticated security posture is definitely the way to go. Security is an ideal complement to the DevOps philosophy, because the new reality is that security is not a one-time practice that gets implemented before the product ships--it's an ongoing process that needs to be included seamlessly into every aspect of the work. As attacks mutate and evolve, your defenses must follow suit. As a defender, you need to continuously review your status, think of ways to create new defenses, and apply those defenses to your environments. Integrating security into DevOps creates a tight feedback loop that ensues and enables faster response to new threats, deeper awareness of undesired traffic or use patterns, and rapid response times to emerging security challenges.
< Page 8 | Page 10 >