- personal software technology blog

Building DevSecOps into your Organization

DevSecOps is an operations term that integrates security into a continuous deployment model for software. My colleague Jimmy Sanders has a great interview (text and video) here( explaining what that term means.

If you were starting up a modern service-based software organization today, what facilities would you need to put in place to have a functioning DevSecOps method for software deployment?

This diagram captures the general idea.

Let us describe the components above.

  • Monitoring and Alerting tools. Every unit of deployment should have standard and custom monitors that alert when issues arise - these alerts should be tested as a matter of priority so there are few surprises.
  • Log Capture and Analysis tools. For search popularity, operational metrics, canary analysis, network appliance logs, and business intelligence among many other reasons, you’ll need one or more log capture and analysis tools. Every network Popular choices include Kibana, Splunk, and Snowflake.
  • Network Analysis tools. There are systems to mirror and capture network traffic for problem analysis and forensics. When your response times vary, it can help to disprove/prove network issues. Think Extrahop or Gigamon as example companies.
  • Security tools. Many load balancers and application firewalls have security features built in. Some companies run war games from outside the network and some use agents running on each host for forensics. We worry about edge protection, application security, network security etc.

That covers the DevSecOps facilities in a modern service-based software organization today.