Most people focus on AppSec and how to make that quicker, but DevOps is also about operations and infrastructure. Learn about some automation points around this.
- [Instructor] Let's talk about the Ops side of DevOps and how DevSecOps fits in. It's easy to focus on application security, because like traditional development teams network security and application security were handled separately. With DevOps we have to consider security across the whole platform. Remember, cloud is built for automation. Good DevOps teams should include infrastructure automation as a part of their development process. Things like server creation and network configuration should all be automated as a part of their build. Security teams should take advantage of that and use Ops checks in their DevSecOps tool set.
There are lots of Ops automation that can be done, but here are a few examples. The most common is vulnerability scanning. Tools like Nessus and Qualys can look for things like outdated operating systems and missing patches on servers. Another thing that can be automated is the network security group review. You can use automation to check and make sure that your networks are not overly permissible in the cloud, and that you have them locked down appropriately by application group. Another thing that you can do is look for patching compliance. You can look and make sure that all the systems are patched and when you find noncompliance, automatically notify the development teams.
The last thing you can look for is encryption at rest. In the cloud everything should be encrypted. You can use your DevSecOps automation to look through all the data on the cloud and ensure compliance to this requirement. Development and operations tools should be part of a single tool set. They shouldn't be broken out into separate buckets. Although they're all part of the DevSecOps toolkit, they do have different focuses. The development tools focus on detecting problems before they make it to production. The operations tools focus on detecting, protecting, and blocking applications that are already in production.
As we stated before, DevOps, cloud, and automation are all partners. The key is integrate security into each of these areas to make sure our DevSecOps rollout is successful.