principleMinor
Continuous deployment strategies vs DevSecOps
Viewed 0 times
strategiesdeploymentdevsecopscontinuous
Problem
How do you implement security requirements in CI/CD while taking care of security requirements? What are best practices here?
Security requirements may differ, let's assume this simple level of security:
Security requirements may differ, let's assume this simple level of security:
- Direct administrative access to target system shouldn't be given to the CI/CD system
- CI/CD system needs to be able to initiate deployment and show it's success/fail status (could be determined by a white box test routine i.e. without admin access rights placed on the CI/CD side)
Solution
As you stated, requirements will differ based on company and industry policy; for us, the adjustment from "separation of duties" to automated deployments has been rough. As interim steps, we've started:
-
Requiring multiple "sign-offs" before deployment; this is accomplished by both reviews for the PR in Azure DevOps and an audit log in Octopus.
-
Monthly review of deployments by higher-ups. This is mostly a rubber-stamp activity, but it satisfies auditors.
-
Requiring multiple "sign-offs" before deployment; this is accomplished by both reviews for the PR in Azure DevOps and an audit log in Octopus.
-
Monthly review of deployments by higher-ups. This is mostly a rubber-stamp activity, but it satisfies auditors.
Context
StackExchange DevOps Q#13836, answer score: 1
Revisions (0)
No revisions yet.