Security and Continuous Delivery. They are unlikely friends because security has historically taken an approach to do large batch testing, freeze development windows, and do annual compliance testing. These older approaches don’t work in the world of Continuous Delivery. In Continuous Delivery, there is a complete departure from traditional delivery cycles of months and quarters to times in minutes and seconds. One of the oft-quoted mantras of Continuous Delivery is that you should focus not just on speed but on how little can be delivered at a time — security has to move away from infrequent batch testing approaches to more agile approaches.
The Delivery Pipeline and Security’s Role
In the delivery pipeline, I like to think of these five stages.
Introspective Questions for Security to Add Value
I was able to give a presentation on this topic last week at GOTO Amsterdam and we drilled in on 3 phases in particular for places where security can add value.
— James Wickett (@wickett) June 8, 2017
At each of these three phases there are introspective questions I like to ask:
- Inherit — What have I bundled into my application (either intentionally or unintentionally) that leaves me vulnerable?
- Build — Can my build acceptance tests catch security flaws and before being released?
- Operate — Am I being attacked right now and if yes, are the attackers having success?
With these three questions, this can be a guide for where to spend time and effort for security in organizations doing continuous delivery. If you are interested in this, you can see the full presentation or comment on twitter @wickett or a comment over at medium.
The Signal Sciences’ Web Protection Platform protects modern applications, microservices and APIs from real attack and threat scenarios, and can be deployed in any infrastructure and technology stack.