SANS Institute

A DevSecOps Playbook

This playbook summarizes how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps. To accommodate a shift to this new approach, security teams need to keep the following in mind:

  • Determine the current code promotion and QA processes in place at your organization and decide where security team members can best integrate into the code development and promotion life cycle.
  • Work with business unit leaders to understand their goals as they relate to rapid development, and learn how operations and security teams can better work with programmers throughout the software development life cycle.
  • Evaluate operations collaboration with development currently, and see where the major gaps are related to communication and ongoing management and maintenance.
  • Learn more about DevOps and major automation frameworks like Puppet and Chef.

About the Author: Dave Shackleford

SANS Analyst, Senior Instructor, Course Author, GIAC Technical Director

Dave is a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.