Developer video Training

Editor's Note: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense, and the Application Security Curriculum Product Manager at SANS. In this post, Eric introduces Secure DevOps and some key DevOps concepts.

This month, our STH.Developer Software Development Lifecycle (SDLC) training module was selected for the video of the month. The SDLC topic reviews the challenges that software development teams face when building security into their lifecycle. In case you missed it, we walked through securing a traditional Waterfall development lifecycle in a. So, by selecting DevOps as September's video of the month, we are continuing our SDLC journey.Before watching the training module, let's review some key concepts in DevOps that will help you understand its role in software development.

Collaboration:

DevOps addresses the division that typically exists between the "Development" and "Operations" teams. In a pre-DevOps world, development teams were responsible for writing code. Period. The code changes were queued up for the quality assurance team, who ran the software through their testing plans. Then, another handoff was made to the system admins / operations team responsible for deploying code. This strict division of responsibilities causes a few problems:

• Each handoff creates overhead, slowing down the time to market.
• The deployment and release phases are far removed from the development team, increasing the number of failed deployments.

The goal of DevOps is to break down the separation between these various teams, and permit / encourage them to work together. Developers, quality assurance testers, system admins, database administrators, and application security experts all become the DevOps team. They work side-by-side, minimizing the handoffs, to develop, test, deploy, and support their applications. This allows everyone to remain close to the end-to-end process and achieve a common goal: creating reliable software, as quickly as possible, with a high probability of success.

Continuous Delivery:

Those of us that have been in software development for a long time remember how painful deploying code was in the past. We committed our code changes, wrote a script to update the database schema, manually updated settings on the development server, and wrote up a step-by-step list of instructions for the operations team to follow. Then, waited the required lead-time for quality assurance and security testing. Finally, weeks or months later on deployment night, the operations team walked through the steps and sent the email notifying us that the deployment was complete. We then stayed up half the night troubleshooting our applications, figuring out where it went wrong. It was painful!