Last year, one of my book of the month selections was The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations (IT Revolution Press 978-1942788003), by Gene Kim, Patrick Debois, John Willis and Jez Humble.
As noted at DevOpsSec, the challenge facing DevOps teams today, however, is that incorporating security into their day-to-day work is not always easy or intuitive. Security often runs one step behind or out of sync with lean DevOps teams.
In Securing DevOps: Safe services in the Cloud (Manning Publications 978-1617294136) author Julien Vehent takes the core elements of DevOps and shows how they can be implemented within enterprise information security groups to make cloud services safer.
This is a technical guide and meant for the reader who is comfortable with basis system administration tasks in a Linux environment. The reader is also expected to be comfortable with how to use Amazon Web Services (AWS), and associated frameworks like Chef and Puppet. The author provides a copious amount of coding examples, to which the reader is expected to understand how to implement them.
As to DevSecOps, or as it’s sometimes called, continuous security; it’s the addressing of information security and testing within in the DevOps continuous delivery pipeline.
The first part of the book provides an excellent overview of how to secure all of the core areas of the cloud. This includes the web application, the cloud infrastructure, and the communications and delivery pipeline. Far too many organizations place too much trust on the AWS (or whatever cloud provider they are using) provided security controls, and don’t develop or implement the additional controls necessary. The book shows the reader in great detail how to use those controls, and ensure they are providing effective security to the cloud application.
The culture and practice of DevOps is a large software engineering undertaking. To be done effectively, it requires the software development team to be on board. DevSecOps requires the same for information security. It has the power to revolutionize many security groups. Far too many of them have a “set it and forget it” approach. Updated perhaps annually when an auditor comes knocking. DevSecOps changes all of that in a radical manner. Security organizations have to be ready for that and embrace the changes requires.
For those that have a forward thinking CSO and engineering teams looking to truly enhance information security, DevSecOps is an extremely power philosophy that can be used to build and integrate truly effective security controls.
The book is a first-rate hands-on reference for those looking to deploy DevSecOps within their organizations. DevSecOps is far too broad to be encompassed in a single reference, but Julien Vehent does an excellent job of showing the reader how to build the entire lifecycle of security controls to effectively secure cloud applications.
I think that in under ten years, DevSecOps will be an essential approach to any information security group. Securing DevOps: Safe services in the Cloud is a solid guide that can show the reader what the future of information security in the cloud will look like.