Once again this year, I was fortunate to be a contributor to Puppet’s State of DevOps Report. Working on this report is always enlightening, and I’ve used this research over the last 8 years to learn about the state of the industry, what works in practice, and where organizations are stalling out and having issues.

今年的主题是安全性,并将其整合到Devops实践中。我们问了成千上万的参与者关于职位安全的能力,以他们提供软件的能力。参与者适合各种人口统计数据,包括计算机安全空间中的重要人物样本,无论是安全团队,在安全管理中,还是其他安全角色。

Thefull report is now available要阅读,但我想召唤一些发现和模式,因为我们建立了问题并进行了数据分析。


First off, the progress of real teams shows that security and DevOps are not two entirely separate goals. In fact, the evolution of security posture mapped very cleanly onto the DevOps evolution model first created in the 2018 State of DevOps Report. Based on the security milestones extracted from the thousands of responses to build that model, it became clear that DevOps done right includes security, and that the reverse is true as well: by improving security posture in a meaningful way, teams can’t help but be more collaborative.

我也很高兴看到合作安全实践如何影响整体安全姿势和通过软件交付过程的易用性。根据数据,如果您的组织在协作努力上花费时间,例如威胁建模练习,安全人员审查或与开发人员的创作测试,您也更有可能在您的实践中更有发展,而您的整体安全性也会更容易进化。118金宝博娱乐城姿势。

These practices can’t be achieved overnight, however. While valuable, they take time to solidify and require trust between security experts and delivery teams. Teams often get started with integrating security into their SDLC practices withtesting, and CircleCI can help with that. Tests in service of security can be things like static analysis, dependency checking and management, OWASP vulnerability management, and regression suites. You can perform all of those types of tests with yourCircleci工作流程, and we even haveorbs成为一种催化剂,它将您的遗传驱逐到持续的安全实践中。

One more key theme I observed was that being in the中间of an evolution with security is difficult. When you’re spending as little time and effort as possible on security, it feels pretty easy. When you’re really good at it and it’s fully integrated, it’s sophisticated, but smooth. In the middle stages, where you’ve identified improvements to make, found gaps, but haven’t yet created solutions or reworked process to accommodate security practices, there may be a lot of friction and even a feeling that things are getting worse. It’s a classic Dunning-Kruger effect, and it shows up with security evolution as well.

那么,在进行安全投资时:

  1. 认识到完美的进展。这通常是有很大影响的简单事情。
  2. 一旦处理了那些,就会介绍安全和交付团队的协作工作。
  3. 最终,安全性应包括在软件通过系统的方式中包含。

最后,绕过安全实践和流量比不断做正确的事情更难以绕过。交付系统中的安全性建立了信心并帮助您快速移动,这就是每个人之后的东西。

I hope you enjoy the2019 State of DevOps report充满安全的善良,我们的朋友在傀儡,Splunk和我们所有人都在Circleci陪伴着你。

2019年 -  Devops-Report-emponsor-Infographic.png