Big—scale big—problems happen when we don't bake security in at the beginning, and then, make adjustments as we go.
So, let's cut to the chase. How do we integrate security into DevOps?
1. Embrace automation: Use and/or build the tools.
2. Change the culture: Make security our friend, not our foe.
Embrace automation (tools)
Let's take the problem of stolen or weak passwords. It's a simple problem but at huge scale. "If you wait for a human being to get involved, it's not going to scale."
Vincent Danen, Director of Product Security at Red Hat explains on the latest podcast that we're seeing more, not fewer, vulnerabilities every day. We will not reach a day when security is done, reached, complete. It's as "normal as breathing now." In terms of our continuous integration and deployment processes, there's so much coming out "every day, every hour. You write code and it's deployed ten minutes later."
What to do? Get your automation tools in place and security becomes baked in.
That's half of it.
Change the culture (people)
The other half is the mindset. The people setting up the meetings, giving direction, and telling each other what's important.
How do we get developers and operations in the kitchen together baking in some solid security?
Training exercises. At Netflix, it's chaos monkey. At Google, it's the DiRT program. The idea is to break things at massive scale so your team can a) experience it and b) study and learn from it.
It all comes down to strong, reliable, and secure code.
Security: the next level
Will user-behavior one day decide the level of security needed for access? We don't know yet, but the thing we know for sure is security matters if you want to be relevant in today's tech landscape.
For an audio and more robust discussion with people at the ground level doing this work, download the Command Line Heros podcast.