Table of Contents
- Summary
- The rise of DevOps and continuous deployment
- Why existing security procedures fall short
- Balancing automation and human testing
- Operational and logistical impacts of continuous testing
- Security at scale
- Key takeaways
- About Mike Kavis
- About GigaOm
- Copyright
1. Summary
Rapid delivery poses new and more frequent security challenges, requiring an entirely different set of solutions. Chief among them is a move from waterfall-style testing methods to a more adaptive, continuous, DevOps-appropriate approach.
DevOps and continuous delivery allow businesses to deploy software far more frequently than in the past, increasing consistency, predictability, and ultimately, quality. With iterative development, the deltas between builds are much smaller, reducing the likelihood of catastrophic errors. Bugs are smaller and easier to fix — if caught in time. However, though rapid release cycles introduce smaller bugs, they produce them far more frequently, and bugs that evade detection can grow into serious problems.
While functional problems can often be detected through regular use, security vulnerabilities are harder to spot. In companies that deploy many times per day, traditional security procedures such as static scans can often take longer than the life of the build, and excessive human interaction can rob highly automated DevOps projects of the very agility they were designed to create. To deliver on its goals, IT must create protocols that model and address security concerns as code is deployed.
This report will help IT executives and development teams understand the new approaches to security required in a continuous deployment environment.
Key findings include:
- Today’s cloud architectures are much more complex and distributed than the architectures previously built on premises, so new approaches to security are required for managing the additional complexity.
- Since infrastructure as code allows virtual machines to be provisioned and de-provisioned within minutes, keeping track of security vulnerabilities without automation is impossible.
- Companies are deploying more frequently due to the adoption of continuous deployment, resulting in frequent changes to the underlying infrastructure. They must continually ensure that their environments are secure and compliant.
- Threats are becoming more sophisticated. The old model of performing annual assessments and security scans is no longer adequate for protecting today’s environments. Monitoring for compliance and security must be a continuous effort.
Thumbnail image courtesy: iStock/Thinkstock