Question

DevOps is an iterative environment; how do you make sure that security requirements are always considered?

Answer 1

Security must be a first-class citizen throughout the DevOps processes. Security must always be considered and a security expert should be involved from the starting stage of the development. You can’t expect a developer or operations in charge to make security-based decisions. If security is concerned, and it should be in all organizations, there should be an entire team dedicated for that purpose hence increasing their performance. Entire devops process consist of software engineering, technology operations, quality assurance and security team.

Your developer or operations professional should be an expert on topics such as

• data privacy
• intrusion detection
• threat vectors
• Common Vulnerabilities and Exposures (CVEs)
• package security
• authentication
• authorization
• security standards compliance

Accelerate your career with our DevOps Course.

Answer 2

As more and more of your tests and processes are automated, you have less risk of introducing security flaws due to human error, your tests are more efficient and you can cover more ground, and your process is more consistent and predictable. So if something does break, it’s easier to pinpoint and fix.

Answer 3

To tighten DevOps security, while balancing the need for agility, consider implementing the following initiatives and technologies:

• Embrace a DevSecOps model
• Enforce policy & governance
• Automate your DevOps security processes and tools
• Perform comprehensive discovery
• Conduct vulnerability management
• Adopt configuration management
• Eliminate embedded credentials tucked away in code, scripts, files, service accounts, in various tools, cloud platforms, etc.

Answer 4

Effective DevOps security demands cross-functional collaboration and buy-in to ensure security considerations are integrated into the entire product development lifecycle (product design, development, delivery, operations, support, etc.). DevSecOps will entail embedding governance and cybersecurity functions such as identity and access management (IAM), privilege management, firewalling / unified threat management, code review, configuration management, and vulnerability management throughout the DevOps workflow. When done right, you have aligned security with DevOps and enable efficient product releases, while avoiding costly recalls or fixes after code/products are released. For this to succeed, everyone needs to take ownership of adhering to security best practices within their roles.

Answer 5

One of the to ensure security is using segmenting the network. Segmenting the network reduces an attacker’s “line of sight” access. Group assets, including application and resource servers, into logical units that do not trust one another. In the case of access that needs to traverse the trust zones, deploy a secured jump server with multi-factor authentication, adaptive access authorization, and use session monitoring to provide oversight. Further segment access-based context, including user, role, application, and data being requested.

Answer 6

By using tools that are shared across the different functions (especially with an end-to-end DevOps automation platform that spans development, testing, ops, and security), organizations gain visibility and control over the entire systems development life cycle, making the automated pipeline a closed-loop process for testing, reporting, and resolving security concerns which in turn increases the security.