Understanding security risks in DevOps
There's a classic cartoon on the internet. It shows a boxing ring. The speaker announces an immense set of security tools and rules in the left corner of the ring. Then, in the right corner, he announces Dave: a nerdy-looking guy, wearing a shirt saying human error. The message: you can have every security system in the world, but it won't stop human error. And development is still mainly work done by humans. Humans make mistakes. Is that the biggest risk in DevOps or are there other specific risks that need attention? We will discuss this in this section.
To answer the question of whether DevOps implies specific risks, yes. Implementing DevOps without paying attention to security will definitively increase the risk of attacks, simply by raising the attack surface of systems. There are three main topics that need to be addressed:
- Access management: DevOps teams likely use code repositories that are manually accessed either...
