Part 3. Maturing DevOps security
In the process of building a security strategy, it’s only natural to focus on the technical aspects first. After all, a passion for DevOps and a strong interest in engineering security controls is probably what made most of you pick up this book in the first place. We’ve done a fair amount of engineering in the first two parts of the book, and now in part 3, we’ll discuss how to consolidate a security strategy into a process that is risk driven, up to date with the latest security research, and that improves continuously.
Successful organizations grow. They add people, products, and partnerships to their portfolio, and become more complex over time. It’s common for security teams to have increasing difficulty keeping track of the changes in their organization and to become unable to identify the most important risks. In chapter 11, we’ll dive into the concepts of risk management and threat modeling to identify the security priorities you should focus on. We’ll take a short break from technology, and introduce risk-assessment processes that, when integrated into the early phases of a DevOps pipeline, help engineering teams build secure products from the get-go.