You can't talk about the cloud, modern apps, and—for that matter—digital transformation without talking about security. A popular term is security by design. But even security by design needs to be embedded in the enterprise architecture. It also applies to the DevOps cycle: DevOps needs to have security by design. Before we can discuss this and principles such as zero-trust, we need to get a good understanding of security first and how it's impacting the DevOps practice. This chapter provides an introduction to security in DevOps.

After completing this chapter, you will have learned why it's important to include security in the enterprise architecture and how an architect can collect and assess risks, and be able to identify what specific risks are in DevOps. You will also learn about setting security controls and what the main topics are that need to be addressed in DevSecOps.

In this chapter, we&apos...

It's a topic you can read about practically every day: businesses that have been hit by some sort of hack or attack. The smallest hole in a system will be found by criminals and exploited. Currently (in 2021), the most popular attacks are the following:

• Ransomware
• Phishing
• Denial of service

The first two, ransomware and phishing, really exploit holes in the defense layer of enterprises. The last is basically about bombing a system so heavily with traffic that the system eventually collapses. All three are fairly easy to execute. In fact, you can buy software and even services that will launch an attack on the targeted address. And no, you don't have to go to the dark web for that. It's out there, in the open, on the normal internet.

How can an enterprise protect itself from these attacks? First of all, it's important to realize that the IT of any enterprise has become more complex, as we have...

There's a classic cartoon on the internet. It shows a boxing ring. The speaker announces an immense set of security tools and rules in the left corner of the ring. Then, in the right corner, he announces Dave: a nerdy-looking guy, wearing a shirt saying human error. The message: you can have every security system in the world, but it won't stop human error. And development is still mainly work done by humans. Humans make mistakes. Is that the biggest risk in DevOps or are there other specific risks that need attention? We will discuss this in this section.

To answer the question of whether DevOps implies specific risks, yes. Implementing DevOps without paying attention to security will definitively increase the risk of attacks, simply by raising the attack surface of systems. There are three main topics that need to be addressed:

• Access management: DevOps teams likely use code repositories that are manually accessed either...

Security starts with access to the repositories, the source of code where the DevOps cycle begins. As we've learned so far, we want to automate as much as we can in development, testing, and deployment. Next, by adopting DevOps, businesses want to speed up the development and deployment of new applications and features. Speed and agility might lead to security risks, because code is not sufficiently tested or, worse, it's pushed to production without applying the proper security policies to gain time. Let's illustrate that with a real-life example.

Developers fork code from the repository and start working on that code. At a certain stage, it needs to be pushed to designated infrastructure to run that code. In development, the code runs fine, since it's not interfacing yet with production systems. As soon as the code is ready to release in production, it will need to establish those connections. Commonly, in enterprises, specific routing...

In the first section of this chapter, we discussed the steps that an architect must take to define enterprise security. In this section, we will explain how requirements and metrics can be collected, validated, and translated into controls and KPIs.

Business goals

We've talked about this in Chapter 1, Defining the Reference Architecture for Enterprise DevOps, but obviously, it's important to understand the goals a business wants to achieve. What markets are they in, how do they serve customers in these markets, and what is the product portfolio? It does make a huge difference if a business is operating in financial products or healthcare. Their markets define the risk level. The risk for a bank or an investment company could be mainly financial, whereas for healthcare, the biggest risk could be involving the life of patients. The goals will be different too: an investment company might have the goal to support as many businesses with...

This chapter provided an introduction to integrating security into DevOps, discussing the concept of DevSecOps. We've discussed the importance of security in enterprise architecture and how this is also driving security in enterprise DevOps. We've learned about the main security risks that are involved in adopting DevOps, and we had a closer look at securing containers as one of the most used technologies in DevOps practices. With that, we defined some critical starting points for adopting DevSecOps.

In the final section, we learned how to collect and assess risks from business goals and business attributes, introducing commonly used security controls frameworks such as the frameworks by CIS. With some examples, we explored the various steps that an architect needs to take to have a security standard that can also be applied to DevOps.

In the next chapter, we will explore the architecture of DevSecOps in more detail, before we start integrating security policies...

1. Name the four traditional principles of enterprise security.
2. What does Docker use to validate signed containers?
3. True or false: Security should not hinder speed and agility in DevOps.

• ISACA journal about enterprise security architecture using SABSA and COBIT: https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach
• CIS website: cissecurity.org