You've probably heard much about DevOps, and likely most of it has been positive. We recently quoted a Forrester report on the topic, saying: "Forrester surveyed 600 IT professionals with application development responsibilities in the US, Canada, France, Germany and the UK. It found that a third of teams were able to consistently deliver results [using DevOps] in one to three weeks.
However, anyone contemplating a new software development practice such as DevOps would reasonably ask: "What about security?" And if they went looking for answers their first reaction might be confusion. A casual trawl of the web produced some conflicting statements.
Here's one. "In a recent CA survey the top obstacle (28 percent) to DevOps in their organisation were security or compliance concerns. Yet, in the same study, a huge percentage (88 percent) already have or plan to adopt DevOps in the next five years."
The author continued: "Security teams argue that DevOps is the antithesis of good security. Constant change, open culture and automation smack directly in the face of security’s tactics of compartmentalisation and tight process control. Here is a little secret – DevOps is winning, information security is losing."
Here's another one from Peter Cheslock, head of the operations and support teams at security company, Threat Stack. "Recognise that the tools which enable DevOps to work so well also introduce new threats and attack surfaces."
Contrast those two with this one: "The DevOps model isn't a threat to security; it's a tool that can be used to enforce security like never before." The article reported the views of Securosis CEO and analyst Rich Mogull who "explained why the emerging world of DevOps can radically remake how security is built into the software development and deployment process."
The author said: "Since the DevOps model is ...continue reading: "DevOps and security - good news or bad?"