Many organisations working with the development of IT Services have embraced the thoughts behind the DevOps culture. Having operations skills involved from day one in the development or change of an IT Service ensures that the solution is built in a way that is fit for real world operations. Continuous integration, continuous testing and automation of anything that can be automated are also best practices that have been embraced by our profession. Finding integration issues and quality problems as early as possible in the development process saves time and money.
Way too many examples can be found however where a project will more or less finish their work before involving security professionals and getting them to do security audits and/or penetration tests. In doing so the results of these activities will at best be half-measures and the cost of resolving the issues that are found will be prohibitive in both time and money.
So why not embrace a SecDevOps culture:
- Involve security professionals in the project from day one.
- Integrate security audits, penetration tests etc. in your integration and testing pipeline.
- Make sure that security features such as segregation of duties, IAM, SIEM as well as functional support for GDPR requirements are included in the project backlog from day one.
IT Services need to be developed with security in mind every single step of the development process (see Secure Development Life Cycle Models) in order for the service to be fit for deployment in real world operations where security threats are not only real and present today but also getting worse by the minute. So if you are planning for a new development project - why not toy with the idea of involving a security professional in your cross functional team?