Mike Nescot, Web Operations and Security Manager, JBS International (@mnescot)
We pursue increasingly rapid delivery cycles while acheiving previously unimaginable degrees of scalability, reliability, and raw performance. But there is obviously a growing and serious mismatch between our develoment and operations performance in securing our applications compared to our performance in other areas. I work at a company extensively involved in Drupal and other open source projects that concentrate on both DevOps and security, but continue to be plagued by serious security vulnerabilities. Organizations and individuals negatively affected by Heartbleed and other security flaws probably would have readily traded some delay in accessing new features or temporary access problems for better security. So, how can we better focus DevOps culture and practices on the concept of Continous Security to deliver this? Perhaps we need to look at ongoing advances in automated security testing, more rigorous and frequent manual code review, and paired/team programming practices, and work better on more fully integrating these all into DevOps.