Essential DevOps Security Principles

Chris Wysopal

This edition of Software Confidential is by Chris Wysopal, Chief Technology Officer at Veracode, where he oversees technology strategy and information security. Chris has testified to the U.S. Congress on government security and how vulnerabilities are discovered in software, and he is the author of “The Art of Software Security Testing”.

Automate from Day One.

Automating security ensures processes are repeatable and minimizes the human steps that can slow things down. In the DevOps context, it is essential because development processes will be highly-automated. Therefore, to run security tests for new releases, security must be integrated with these automated processes. In this integrated DevSecOps system, security is not a burden on the dev process.

Integrate to “Fail Fast”.

Integrating security into the DevOps process also makes it possible to implement the agile principle of failing fast. In this context, that means catching security issues as early as possible. Ideally then, testing should be integrated as close to the developer as possible. For instance, rather than waiting for releases, security tests could be triggered on check-in or even made a pre-check-in requirement.

Maintain Operational Visibility.

Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered security infrastructure must deliver “closed loop” feedback from production in the event of a security incident. This has a range of benefits including: enabling the team to deploy faster; catching exceptions; detecting and protecting against attacks.

By Chris Wysopal | 25 Apr 2018

Make security a competitive advantage.

We’ll show you how to give users better, safer experiences.

See how >