THE CASE FOR CONTINUOUS SECURITY

By Pete Cheslock Senior Director of Ops and Support at Threat Stack

@petecheslock

DevOps is a term that has absolutely blown up in the last 5 years.

However, many had an immediate adverse reaction towards Yet Another Buzzword

…especially when the core concepts of “DevOps” were things people had been doing for YEARS!

To shorten the feedback loop in development cycles,

allowing teams to iterate quickly on changes and ship features to customer sooner.

The Core Tenant of DevOps

Mainstream DevOps =

Easily accessible cloud infrastructure+

Maturity of operational tooling

For companies starting new product development initiatives,

using Configuration Management is table stakes to iterate quickly!

IaaS providers today make it as easy as possible to provision systems

to meet infrastructure needs — and quickly.

Physical Data Center

Public Compute Resources

for flexibility and accessibility provided by Amazon, Google, Microsoft

Companies leverage Infrastructure as Code for major speed to market benefits

The Competitive Advantage

Companies can now provision hundreds (or thousands) of compute

instances in mere minutes. !

This is an every day activity!

Continuous Integration

Continuous Deployment

But who (or what) is continually monitoring the state of your

operational security?!

Junior sysadmins can now make changes to:!

• a Chef Recipe• a Puppet Manifest• an Ansible Playbook

!

!

…and deploy it to production — in minutes…

Today…

What is the scope of that change?

to be slowed down by the security team!

or !

configuration management changes to be passed through a Change Control Board

Sysadmins DON’T Want:

to change a variable, open a pull request, and once merged, their operational tooling to do the rest!!

They want their change to hit production servers ASAP.

Sysadmins Want:

This is where SecDevOps (or SecOps) comes in.

(ignore the fact that it’s a silly buzzword just like DevOps…)

If DevOps seeks to value empathy between these two teams that traditionally had different incentives for their positions…

Developers Operations

value constant change value stability

…then SecDevOps seeks to evoke the SAME outcome with Security teams

(and the rest of the business)

If you’re continually deploying changes,you must be continually monitoring

security implications for operational changes.

Often times there is no single person that is able to say with absolute certainty which changes to infrastructure have additional risks towards your security posture.

And, if you have a traditional network security organization

that manually reviews and approves changes to production… !

!

You’ve introduced the newest bottleneck in your organization. !

!

!

!

!

!

A SecDevOps methodology allows you to improve your security monitoring

and response times, while maintaining your ability to continually

deploy changes

SecDevOps is the answer to this discussion.

This is the most important (and exciting!) problem to solve in many organizations!

But it is also one of the hardest problems to solve. !

This is why at Threat Stack, we’re all excited to be in a unique position to actively

help companies solve this.

Start Implementing Continuous Security Today!

!

threatstack.com