Seriously, it seems a bit ridiculous that we still need to talk about the importance of security, or discuss if or how security should be incorporated in various technologies or platforms. There was never a time when it was appropriate for security to be an afterthought, and we have already suffered the consequences many times over from products and services where security was handled as such. DevOps is no different.
In fact, because DevOps accelerates so much of the development process, it is more crucial than ever that security be baked in every step of the way. I wrote about a session from the 2014 RSA Security Conference about security and DevOps:
DevOps is often a culture of rapid development and frequent rollouts—a culture and mentality that make it very easy to ignore security. All of the traditional challenges of trying to apply security after the fact are exacerbated exponentially in an environment where code is constantly being updated and implemented. So, can security and DevOps coexist? The answer is “yes.” Actually, the answer is “it is imperative that they do.” There was a very interesting session at the RSA Security Conference related to this issue presented by Andrew Storms and Eric Hoffmann, “Secure Cloud Development Resources With DevOps.” Storms and Hoffmann stressed that trying to apply old-fashioned thinking to cloud services or DevOps is a recipe for disaster. They recognize that developers are smart and will find ways to circumvent security tools if they get in the way of efficient coding. They also reiterated that security has to be integral to development and can’t simply be bolted onto the finished product.
Click here to read the complete post on the RSA Blog: Can Security and DevOps Coexist?