Remember the creation of and rise of DevOps, the coming together of development and operations as one? This happened because it was considered wrong to separate development from operations.
We know security should not be separate, hence we need DevSecOps (sometimes abbreviated SecOps).
Another definition of SecOps: The collection of all people, practices, intelligence, and technology that goes into securing an enterprise’s assets. It handles threat modeling, risk assessment and management, bug (vulnerability) reports and issue tracking, responses and fixes, configuration, rollout, deployment, maintenance, evolution, and all that, with security in mind the whole time.
Note that the management of all those secrets and other sensitive information in your deployment configuration files can be a weak point in your security profile. Are you managing those secrets well?
It feels like this page of notes would note be complete without a listing of the most common (if not the most obvious) practices that any good security-conscious Ops team will have in place:
And where possible, automate, automate, automate. Remember to automate. Humans can make mistakes with this kind of stuff, why risk it? A manual deployer turned malicious insider is scary.
Read this short article for a good introduction to Secure DevOps.
Although DevSecOps is a big topic, it’s worth highlighting security concerns within your CI/CD pipeline. Here are a couple good articles which go over the issues involved:
Read more on DevSecOps at:
We’ve covered: