Essential DevOps Security Principles
Automate from Day One.
Automating security ensures processes are repeatable and minimizes the human steps that can slow things down. In the DevOps context, it is essential because development processes will be highly-automated. Therefore, to run security tests for new releases, security must be integrated with these automated processes. In this integrated DevSecOps system, security is not a burden on the dev process.
Integrate to “Fail Fast”.
Integrating security into the DevOps process also makes it possible to implement the agile principle of failing fast. In this context, that means catching security issues as early as possible. Ideally then, testing should be integrated as close to the developer as possible. For instance, rather than waiting for releases, security tests could be triggered on check-in or even made a pre-check-in requirement.
Maintain Operational Visibility.
Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered security infrastructure must deliver “closed loop” feedback from production in the event of a security incident. This has a range of benefits including: enabling the team to deploy faster; catching exceptions; detecting and protecting against attacks.