via Gary Southwell, writing at HelpNet Security, comes this interesting self-help(ish) posting, detailing a method to faciltate enhanced (read better) inter-operability between Security Teams and DevOps Organizations. Might be interesting to see the outcome of implementation of this advice, in a real-world setting...
In my opinion, there is absolutely no 'art' in securely deployed applications...
Not withstanding this, the subject of this post is the well engineered conversational interview over at Linux.com, with Tim Mackey, an evangelist at Black Duck Software; in which the two participants in the conversation hold forth in 'DevOps and the Art of Secure Application Deployment' (scribed by Amber Ankerholz). Worth the read.
The remarkable truth about Information Security within DevOps driven organizations, and why, per se, those organizations are not secure with the utilization of DevOps integration of Development and Operations teams leading to continuous deployments. If you read anything about DevOps today, read George V. Hulme's interview of Adam Muntner an Application Security Engineer at Mozilla and the creator of FuzzDB (the interview is also posted at Adam's Blog). Absolutely Outstanding.
"The problem is that automating security creates a paradox. You see, in security, automation works best as a tool and not a wielder of tools. You see, your security automation is in charge of making periodic and systematic changes to controls and then verifying those changes." via Darkmatters, a Norse Security blog, by Pete Herzog
'DevOps Connect was co-produced by DevOps.com and Sonatype, through the Nexus Community Project. The day started with a keynote delivered by Gene Kim and Joshua Corman, setting the stage for 13 more presentations.' - via Devops' Alan Shimel
Interesting Uber vs. John Doe (in this case GitHub) case, whence Uber issues what is fundamentally a Your Papers Please subpoena through a magistrate and demands records closely held by GitHub through the courts.
In this case, access has been granted by the magistrate permitting examination of the two Gists at GitHub, containing the unfortunate error made by Uber employees (whence an Uber developer/dba included internal passwords on a very public Gistto internal databases.
Uber argued (successfully - mh) during the hearing that the two Gist posts (both of which have been offline since the lawsuit was filed) should have had very little traffic, and the data on who visited them "should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download." - via El Reg's Kieren McCarthy