Oct 12 2013

Can DevOps become SecOps?

Published by at 10:40 pm under Simple Security

This is an incomplete thought.

This week I saw Gene Kim give his talk on DevOps and The Phoenix Project for the first time. I’d read the book and loved it, but I’d never seen Gene put life into the concepts himself.  I was mesmerized by by his animation and energy in the presentation.

What at I couldn’t help thinking is, how can this be translated into security?  DevOps has a security component, but it’s the collaboration between development and operations that makes this work.  So how can that collaboration be expanded to cover the whole business?  I’m probably expressing this poorly, but I think we need to work towards a business model where the whole business thinks of security as simply a part of how they think about how security is part of the fabric of what we do, rather than the bolt on it is now.

I’m going to have to give this a lot more thought, but I’m glad I got to see him talk rather than simply reading his book.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

5 Responses to “Can DevOps become SecOps?”

  1. Chris Shorton 13 Oct 2013 at 6:06 am

    Convincing people is the hard part. But, I would be very interested in hearing more.

  2. Garth Schweron 13 Oct 2013 at 1:10 pm

    Hi Chris,

    The “Ops” team have written a whole book regarding this very topic.

    It’s on my reading list, but haven’t gotten around to it yet.


  3. Tracy Reedon 13 Oct 2013 at 3:52 pm

    I mix security and devops every day in my work. We use puppet extensively to enforce hardening configurations on systems and to ensure that logging is configured correctly to go to the central log server. We write lots of custom code for security tools and take a devops approach to that development also. Just as there is programmer training involved in devops there is security training to be done also. End-user security training is the largest and hardest problem I see still needing to be dealt with. I’m not yet sure how devops can help with that.

  4. Ben Tomhaveon 14 Oct 2013 at 3:22 am

    What Tracy said. Really, quit trying to make security a centerpiece – it needs to go away. The DevOps place for security is fully integrated and no longer standalone. Bake-in all the necessary tools and requirements. Gold images should have everything you need in them. Dev and QA should have appsec testing tools in-hand for tighter feedback loops. Logging, monitoring, and response should all be tied directly into Operations, and “security” (really governance and risk mgmt) should simply provide guidance and training along the way to improve detection and response capabilities, help architect new pieces when visibility is lacking, and focus on auditor-like testing when a 3rd party perspective is useful. Overall, “security” as a team shrinks to almost nothing as we as an industry get out of the way and let Dev and Ops own and incorporate all the security requirements into their standard duties.

  5. Martinon 14 Oct 2013 at 4:34 am


    You misunderstand, but that’s to be expected when I only write a paragraph. I don’t want to make security the centerpiece of anything, I just want to see it woven into the fabric of the enterprise. Your point about ‘security shrinking’ is exactly what we should be looking at, but instead of shrinking what’s really happening is that it needs to be absorbed into the rest of organization. In effect, you actually have more people actually doing security, even if it’s not in their job title.

    I think we agree more than not, so I’m not going to go on.

%d bloggers like this: