Why does Security matter for DevOps?
Security does matter, and figuring out how to go about doing it can result in brain explosion. For example, the BSIMM has a list of 110+ security controls. What are the bare minimum security controls that should be in place for any DevOps organization?
There are 3 main reasons why security matters for DevOps.
Reason #1: Sales / Acquisition. A potential customer or acquirer wants to know what the company is doing about security.
Reason #2: Press. The company wants to avoid negative press headlines resulting from a security breach. Let’s think about this for a moment, though. Isn’t the reason any company cares about press because it doesn’t want bad press to affect their sales or potential acquisitions? (See: Verizon and Yahoo). So perhaps we’re back to just the one reason — sales.
Reason #3: Compliance. The company needs to comply with PCI, HIPAA, or another requirement in order to do business or meet a customer requirement. Sounds familiar? A primary reason for compliance is to avoid slowing down… sales.
Remember when Bill Gates wrote that company-wide memo to all the employees at Microsoft talking about Trustworthy Computing? Was that for a noble cause? I suspect it was because Microsoft was starting to get questions about its security, and it didn’t want security issues to get in the way of… you guessed it, sales.
So if sales matters to companies, and security matters for sales, how does a company get started when it comes to “doing” security?