SANS Institute

The DevSecOps Approach to Securing Your Code and Your Cloud

DevSecOps is about collaboration. More specifically, it is continual collaboration between information security, application development and IT operations teams. 
Having all three teams immersed in all development and deployment activities makes it easier for information security teams to integrate controls into the deployment pipeline without causing delays or creating issues by implementing security controls after systems are already running. 

Despite the potential benefits, getting started with DevSecOps will likely require some cultural changes and considerable planning, especially when automating the configuration and security of assets in the cloud, whether the model is software-asa-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS). This paper walks you through those policies and guideline processes.

About the Author: Dave Shackleford

Dave Shackleford ImageDave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.