July 31, 2017
Many companies have been performing DevOps successfully for roughly a decade. The issue has been how to integrate security within the DevOps process. Most companies, that I have seen, struggle with this since there are so many silos built up. This causes teams not to talk to one another. The developers build this beautiful thing that takes code seamlessly from conception through an automated deployment process and finally to the web for consumer consumption. Most of the time the only part missing is the Security Team.
Over the years the Security Team has done a rather fine job of isolating themselves and not participating in the development process. They only seem to exist to make sure nothing really bad happens. They do their normal vulnerability patching and scanning. However, we need to take them out of this silo and integrate them with the development team. This is where we will see the most bang for the buck, especially in the DevOps culture.
With an integrated Security Team, we can have security tools integrated within the deployment pipeline to ensure the code is secure. We can have discussions with developers regarding planned code changes and redirect issues (if found) prior to code getting developed or deployed.
Let's get rid of those silos and integrate teams.
This article was inspired by DARKReading.