Executive Summary
From large-scale multiyear waterfall projects to small two-pizza teams delivering and running online microservices, how we manage software has changed completely.
Just as Capability Maturity Model Integration (CMMI) and Project Management Institute (PMI) gave way to Agile software development, Agile has made way for DevOps, taking Agile principles and tooling to full chain, from design to development to deployment and operations.
DevOps started in the cloud with digital startups such as Netflix and Flickr. Today, DevOps is becoming fact, not fiction, for many organizations, as enterprises and even governments adopt cloud services and containers, and implement automated continuous build and delivery pipelines.
Today it’s not just about cutting delivery times and costs and risks. It’s about building iterative feedback loops between engineering and real users, running continuous experiments so that the organization can learn and adapt, fail fast or pivot quickly in response to rapidly emerging needs and priorities.
It’s also about taking advantage of chaos theory to design and implement resilient, antifragile operational environments that can scale up and scale out on demand. And it’s about leveraging automation to cut delivery cycle time while at the same time reducing operational risk and satisfying compliance requirements.
This survey, the sixth in a series of annual studies by SANS on security practices in software development, is the first to explicitly focus on DevOps.
Last year we looked at how organizations balanced speed of delivery against risk. This year we dove deep into how security fits into DevOps, where security risks are and how they are being managed, and the top success factors in implementing a Secure DevOps program:
• Have organizations been successful in adapting, or reinventing, their traditional approaches to InfoSec and AppSec to the realities of DevOps?
• Can security keep up with rapid iteration in continuous deployment?
• Is Secure DevOps fact or fiction?
