Chapter 8. Security and Security Audits

What Is Security?

Security is easily remembered by the acronym CIA, which stands for confidentiality, integrity, and availability:

The case study in Chapter 12 discusses an approach that advocates integrating the security team into the adoption process. Other DevOps activities that are candidates for the discussion of security are:

[p155]

One of the catchphrases in DevOps is "infrastructure-as-code", which means treating scripts and DevOps process specifications as code, and applying the same quality control practices as you do with code. Security policies, governance rules, and configurations can be naturally embedded in the infrastructure code and automation for easier auditing.

Threats

The point of view of an attacker provides one perspective for you to take when designing your system or subsystem. Microsoft has introduced the acronym STRIDE for a threat model.

Resources to Be Protected

Security Roles and Activities

Identity Management

Access Control

Detection, Auditing, and Denial of Service

Development

Auditors

Application Design Considerations

Deployment Pipeline Design Considerations