My notes from the DevOps Handbook

by Gene Kim, Jez Humble, Patrick Debois, John Willis

63. Integrate Information Security, Change Management, and Compliance

• Make security a part of everyone's job
• Integrating preventative controls into our shared source code repository
• Integrating security with our deployment pipeline
• Integrating security with our telemetry to better enable detection and recovery
• Protecting our deployment pipeline
• Integrating our deployment activities with our change approval processes
• Reducing reliance on separation of duty

When we integrate security work into everyone's daily work, making it everyone's responsibility, we help the organization have better security.

Information Security as Everyone's Daily Job

DevOps may be one of the best ways to better integrate information security into the daily work of everyone in the technology value stream.

Integrate security into development iteration demonstrations

Have feature teams engaged with Infosec as early as possible, as opposed to primarily engaging at the end of the project.

When it came to information security and compliance, we found that blockages at the end of the project were much more expensive than at the beginning and infosec blockages were among the worst.

By having Infosec involved throughout the creation of any new capability, we were able to reduce our use of check lists dramatically and rely more on using their expertise throughout the entire software development process.

Integrate security into defect tracking and post-mortems

Track all open security issues in the same work tracking system that Development and Operations are using,