As DevOps becomes more and more important, daily code deployment is becoming an industry standard. But how does DevOps address security?
If you’re constantly pushing code, you are potentially adding new vulnerabilities to your site, which is why security should be a key component of DevOps culture. At times, however, it can be difficult to achieve balance, which leads some to doubt that DevOps and security can work together. James D. Brown tackled this with his Mythbusting DevOps and Security article and Nick Galbreath from Etsy also did a great talk around DevOpsSec and how you integrate security in DevOps.
DevOps Security Testing
Security in DevOps requires proactivity. It is important to take security into account in the development process, and to include it in your automated tests. DevOps security also requires that you monitor for issues and deploy fixes quickly. While the automatic security testing tools can be used in the development process to test for basic issues, these tools do not catch everything, especially complicated vulnerabilities. This is where bug bounty programs can add value to your DevOps process. By crowdsourcing your security, security researchers with a diverse set of skills can submit your code to a series of high quality tests to discover vulnerabilities.
Bug Bounties as a DevOps Tool
Ongoing bug bounty programs provide DevOps teams the opportunity for continuous and high quality security tests to be run on both staging and production environments. This provides teams both scalability and quality when testing for security, which may be why DevOps pioneers like Google and Etsy run active bug bounty programs on their sites.