My notes from the DevOps Handbook

by Gene Kim, Jez Humble, Patrick Debois, John Willis

64. Integrate security controls into shared source repositories and services

Add to our shared source code repository any mechanisms that help enable us to ensure our applications and environments are secure. Add libraries that are pre-blessed by security to fulfill specific Infosec objectives, such as authentication and encryption libraries and services. Because everyone in the value stream uses version control for anything, putting our information security artifacts here makes it easier to influence the daily work of Dev and Ops. Version control also serves as a communication mechanism to keep everyone of changes being made.

Provide security training to Dev and Ops, as well as review what they've created to help ensure that security objectives are being implemented correctly.

Provide Dev and Ops with effective security specific configuration settings for the components they use in their application stacks such as for logging, authentication, and encryption:

By putting all these into our shared source code repository, we make it easy for any engineer to correctly create and use logging and encryption standards in their applications and environments, with no further work from us. Collaborate with Ops teams to create a base cookbook or build image of our OS, databases, and other infrastructure.

Integrate security into our deployment pipeline

Automate as many of our information security tests as possible.

Provide both Dev and Ops with fast feedback on their work so that they are notified whenever they commit changes that are potentially insecure and enable them to quickly detect and correct security problems as part of their daily work, which enables learning and prevents future errors.

Ideally, these automated security tests will be run in our deployment pipeline alongside the other static code analysis tools.