search menu icon-carat-right cmu-wordmark

DevOps Blog

Technical Guidelines and Practical Advice for DevOps

Latest Posts

Malicious User Stories, Rejection Criteria, and the New Business Value

Malicious User Stories, Rejection Criteria, and the New Business Value

• DevOps Blog
Todd Waits

Traditionally, DevOps practitioners think of business value as simply measuring the difference between money earned and money spent. In that line of thinking, security is often relegated to a secondary goal because it fails to directly drive revenue. The misguided goal is to deliver functionality at all costs, even if it compromises the integrity of the system or data. As Rob Joyce, head of the National Security Agency's Tailored Access Operations group, mentions in his...

Read More
Adding Security to Your DevOps Pipeline

Adding Security to Your DevOps Pipeline

• DevOps Blog
Kiriakos Kontostathis

DevOps practitioners often omit security testing when building their DevOps pipelines because security is often linked with slow-moving business units and outdated policies. These characteristics conflict with the overall goal of DevOps, which is to improve the software delivery process. However, security plays an important role in the software development lifecycle and must be addressed in all applications. Incorporating security into different stages of the DevOps pipeline will not only start to automate security, but...

Read More
Fabric, Ansible, Docker, and Chaos Monkey: The Top 10 DevOps Posts of 2015

Fabric, Ansible, Docker, and Chaos Monkey: The Top 10 DevOps Posts of 2015

• DevOps Blog
Hasan Yasar

By Hasan Yasar Technical Manager Cyber Engineering Solutions Group In August 2015, the DevOps blog launched its own platform. The blog offers guidelines, practical advice, and tutorials to the ever-increasing number of organizations adopting DevOps (up 26 percent since 2011). According to recent research, those organizations ship code 30 times faster. Despite the obvious benefits of DevOps, many organizations hesitate to embrace it, which requires a shifting mindset--and cultural and technical requirements--that prove challenging in...

Read More
Monitoring in the DevOps Pipeline

Monitoring in the DevOps Pipeline

• DevOps Blog
Tim Palko

By Tim PalkoSenior Member of the Technical StaffCERT Cyber Security Solutions Directorate In the realm of DevOps, automation often takes the spotlight, but nothing is more ubiquitous than the monitoring. There is value to increased awareness during each stage of the delivery pipeline. However, perhaps more than any other aspect of DevOps, the act of monitoring raises the question, "Yes, but what do we monitor?" There are numerous aspects of a project you may want...

Read More
Integrating Your Development and Application Security Pipelines Through DevOps

Integrating Your Development and Application Security Pipelines Through DevOps

• DevOps Blog
Aaron Volkmann

By Aaron Volkmann Senior Research Engineer CERT Division The DevOps philosophy prescribes an increase in communication and collaboration between software development and operations teams to realize better outcomes in software development and delivery endeavors. In addition to bringing development and operations closer together, information security teams should be similarly integrated into DevOps-practicing teams. An automated way of performing complete software security assessments during continuous integration (CI) and continuous delivery (CD) does not exist yet, but...

Read More
Developing with Otto: A First Look

Developing with Otto: A First Look

• DevOps Blog
Aaron Volkmann

By Aaron Volkmann Senior Research Engineer CERT Division You will be hard pressed to find a DevOps software development shop that doesn't employ Vagrant to provision their local software development environments during their development phase. In this blog post, I introduce a tool called Otto, by Hashicorp, the makers of Vagrant....

Read More
Applying DevOps Principles in Incident Response

Applying DevOps Principles in Incident Response

• DevOps Blog
Todd Waits

By Todd WaitsProject Lead CERT Division DevOps principles focus on helping teams and organizations deliver business value as quickly and consistently as possible. While the principles advocate for improving the coordination between development and operational teams, they can be adapted for any number of domains. The key components of DevOps we want to emulate across other domains are: collaboration between project team roles infrastructure as code automation of tasks, processes, and workflows monitoring of applications...

Read More
 A DevOps a Day Keeps the Auditors Away (and Helps Organizations Stay in Compliance with Federal Regulations such as Sarbanes-Oxley)

A DevOps a Day Keeps the Auditors Away (and Helps Organizations Stay in Compliance with Federal Regulations such as Sarbanes-Oxley)

• DevOps Blog
Aaron Volkmann

Aaron VolkmannSenior Research EngineerCERT DivisionIn response to several corporate scandals, such as Enron, Worldcom, and Tyco, in the early 2000s congress enacted the Sarbanes-Oxley (SOX) act. The SOX act requires publicly traded companies to maintain a series of internal controls to assure their financial information is being reported properly to investors. In an IT organization, one of the main tenets of SOX compliance is making sure no single employee can unilaterally deploy a software code...

Read More