How does secure software development in the cloud work?

The typical software development model of develop, deploy and run (with security often as an afterthought) does not work very well in a cloud environment.

The two biggest reasons are feature velocity and operational assurance. In a cloud provider environment, functional features come (and sometimes go) on a daily basis. At the same time, both the code and the sizing of the machinery have to adapt to rapidly changing usage patterns. This leads to automating more of the deployment process. That deployment then becomes code that somebody has to write.

Hence the integration of Dev and Ops: DevOps.

Interestingly, security can be integrated as well. Security also requires feature velocity, though in this case it often is a negative feature: stopping some kind of exploit. And the most thorough security comes from automating security controls, for example by baking them automatically in the virtual machines that run the new code at deployment time.

For a little more discussion I would like to refer to a blog post by my friends at Securosis. These guys have an awesome IT security blog, lots of solid research, and they are very knowledgeable on cloud computing as well. In fact, they wrote the CCSK training that I am delivering. In the blog post you see a mention to one of their CCSK sessions. It all feels a lot like my sessions.

So here is the link to DevOps, Cloud, and the Death of Traditional IT.

Leave a Reply