DevOps Security Lessons

There is no doubt that the realization of DevOps can offer substantial operational advantages. The problem is that if you talk to ten different organizations about how they define and deliver DevOps—you will get ten different answers.

By the time you take into account the number of development technology options, and then the plug-ins available to the technologies and the cloud infrastructure variations – you already have more chances of winning the US Powerball lottery (1 in 292 million, in case you are interested) than running a DevOps stack and setup that is identical to one running in another company.

This is great news for the criminal hacking fraternity – many of whom enjoy picking through the open ports and misconfigurations to find opportunities. With that said, here is some good news for you:

Embedding fully-effective security in DevOps environment may *seem* impossible but trust me when I say that it only *seems* that way. Anything hackers can find a way to compromise – security people can find a way to fix.

When the “cloud-first” mindset emerged, I was out auditing some of those suppliers – and what customers usually told me on the way in was: “it’s so cheap, we don’t need all that security software anymore because it’s cloud!”

The truth was a little different. You might not need exactly the same security technologies – but the security principles remained the same.

It’s a similar situation with DevOps--the technologies and principles have moved on, but the underlying security engineering objectives endure.

Your DevOps department may not be solely reliant on a monolithic architecture anymore – but it does have its own security requirements – and you still need to know you can count on the myriad “other” dependencies (or at least deploy a contingency option, should things go wrong).

Recently, I presented at a webinar hosted by BeyondTrust, which is now available to watch on-demand here: Does your DevOps Environment have this Critical Security Vulnerability? (Most do).

This webinar focuses on what lessons we can draw from where DevOps environments are failing with regards to security. This webinar examines where things go wrong, what the clear indicators of failure look like, and how to assess roughly where you think your own organization is on the DevOps security maturity pathway.

This webinar is based on my experience from auditing, managing, and overseeing security across several dozen development environments – and if you don’t learn anything from it – then you must already have had similar work experiences to me and just be chasing down some CPE!