A DevOps Approach to Security Controls
A DevOps Approach to Security Controls
The DevOps movement has made it possible for leading companies to get their applications to market faster, with higher quality and reduced costs. DevOps is both a culture and a set of processes that enable development and operation teams to create, release, and manage applications following a Systems Development Life Cycle (SDLC) that is typically automated via Continuous Integration/Continuous Delivery (CI/CD) tooling. Today, DevOps principles have expanded beyond merely managing the application to managing the environment itself, giving rise to concepts such as software-defined networking and infrastructure as code. A security control is a testable countermeasure designed to mitigate a specific risk. Multiple, complementary controls create security capabilities. Of course, security engineers need to be baking security into applications throughout the SDLC by engaging with operations and development teams and hooking into the CI/CD toolchain. This presentation makes a corollary argument, advocating that security teams need to apply DevOps principles to how they implement security controls for virtually every compliance requirement, using a “security controls as code” approach. We will present tools that can support this paradigm, but more importantly, we will look at some fundamental principles that can be applied immediately to the development, implementation, and enforcement of security controls.
A DevOps Approach to Security Controls - SLIDES (11/4/2019)
« Back to Presentations