DevOps represents the natural evolution of software and how we build it. Long gone are the days of spending years trying to build the perfect piece of software. DevOps works because it’s not about building the perfect thing once; it’s about building one little thing and then working on it in quick increments. Why release once a year when you can release once a day?
The way security is thought about in most organizations is very similar to how we used to build software. There is an obsession on perfect when what we really need is to understand what our security minimum viable product (MVP) is. Even once we understand our MVP, mistakes will be made. The ability to move quickly is by far the most valuable quality of good security.
Using the OWASP Top 10 as his guide, Josh Bressers explores some of the most common security mistakes made and explains how they might be avoided with just three basic development concepts that are easily covered by a DevOps process. Josh begins with a discussion of authentication. For a long time the security people warned not to roll your own crypto. Now you shouldn’t roll your own auth. If you simply use an OAuth or SAML provider, you can avoid nearly half the top 10 list. Josh then moves on to data, trust, and operations. He concludes by examining security and DevOps, demonstrating that there’s no such thing as DevSecOps; it’s really just DevOps.
Josh Bressers is the head of product security at Elastic. Josh has been involved in the security of products and projects, especially open source, for a very long time and has helped build and manage security groups for many open source projects as well as a number of organizations—everything from managing vulnerabilities and the security development lifecycle to DevSecOps, security product management, security strategy, and nearly any other task that falls under the security umbrella. Josh cohosts the Open Source Security Podcast. He is an active member of the Distributed Weaknesses and Filing project, which is in the process of leveraging the power of open source for CVEs.
©2018, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org