Security infrastructure as code.
We’ve been wrestling with the idea of software development methodologies (Waterfall, Agile), infrastructure-as-code (cloud deployments, DevOps, DevSecOps) and coding best practices (OWASP, BSIMMS, SAMM) going on for two decades now. These are not independent systems. They overlap and interact. Up to this point, at least for the security side, they have been manual tasks, toil, that are prone to mistakes. We all know that automation can reduce the impact, at least be consistent with mistakes we make, and can offer a uniform fix across the enterprise once we have decided what to do. Automation is the key first principle strategy to get this done and DevOps/DevSecOps is the tactic we will all use to get there.Rick Howard takes us through the topic.
For a complete reading list and even more information, check out Rick’s more detailed essay on the topic.