"Is security keeping pace with continuous delivery?"
Is continuous delivery ignoring/marginalising security because it gets in the way of trendy practice and management targets?
On the September 27 2016 at 11am we're running a live broadcast that will explore the changing game of application security. The thinking is that the world has moved on in terms of how applications are created and deployed — two-year development cycles are being replaced by fast-moving, integrated processes delivered by …
In my humble opinion, people are so busy rushing product out the door, that they totally ignore security. Security on the Internet has got worse over time not better. For instance OOP programming methodology was supposed to reduce bugs in software, has it delivered, I don't think so? There is a crisis in security and the major players need to organize a summit where these problems are identified and solutions found. Given the combined market capitalization of Cisco, Facebook, IBM, Microsoft, Oracle, Symantec, Kaspersky ... is this the best they can come up with.
Coming from a Mode 1 ITSM world, the idea of continuous delivery seems terrifying. I spent a lot of time in operations reconstructing past events for audits, and changes complicated that process. If there is no graceful way to reconstruct the state of the system in the past, then that aspect of compliance (security or otherwise), goes out the window.
When I worked for a large credit card issuer, a defect (code, disclosure, parameter, whatever) could be discovered months later (sometimes after someone complained to a regulatory agency) and my task was to answer how many cardholders were impacted when in what way, performing research across dozens of subsystems. How on earth could anyone do that in a continuous delivery environment?
Obviously, if your security strategy is to do everything at the application level and just attach your production server straight to the internet, that's an enormous risk, whether doing continuous delivery or managed releases.
Anybody sane has a network infrastructure involving multiple firewalls whereby the actual production servers are not directly accessible from the internet. Unfortunately a lot of sizeable companies do not yet fall into the "anybody sane" category.
I've worked somewhere that had good experiences with continuous integration and testing of software, but they did nothing that could be described as continuous delivery. Releases of new software versions werw only deployed after stable builds passing all tests had been through a round of user acceptance testing so that they got tested by real people too.
Personally, I'd never deploy a new versoin of software without all this, unless there were urgent fatal bugs to be fixed, in which case a version of the last deployed release with just those bugs fixed is acceptable for a quick deployment.
I can just imagine the sleepless nights and stress that a "continuous delivery" strategy would result in : my feeling is that it would result in a "continuous staff turnover" situation too.