DevOps is designed to remove the issues caused by developing IT in isolation. It ensures development is aligned to IT operations while placing a greater focus on users and providing a quicker route to deployment. This continuous integration – allowing code to be created, committed and tested – and continuous deployment (CD) – moving code from testing to production – may appear to pose a threat to traditional approaches to security and governance. However, in a truly successful DevOps culture, security will have ‘shifted to the left’ where, rather than being an afterthought, it is one of the earliest considerations.
This paper looks at how to achieve a successful SecDevOps model that ensures security can be delivered at speed in the pre-build phase and during the build itself. Pre-build recommendations cover securing the environment, using a rapid risk assessment model, and looking at ‘abuser stories’ and ‘misuse cases’. The paper also looks at measures to secure the build process including an integrated development environment, blocking bad code, and different approaches to testing.