1 Management Summary
Today's organizations leverage agile paradigms for the design and development of software and for the implementation of modern infrastructures to achieve new levels of flexibility and agility. Role model organizations like Netflix, Google, Amazon or Spotify update their platforms continuously with several deployments per day. This typically requires ongoing changes to both the functionality and the infrastructure while making sure that reliability, stability and security remain unchanged.
The DevOps methodology goes far beyond traditional system operations in that it applies agile methodologies to the complete process of creating systems and infrastructures, ranging from software development to application release management and enterprise systems management on-premises and in the cloud.
While software development teams aim at a high frequency of feature updates and deployments, the definition, configuration and provisioning of modern infrastructure components allow us to look at system operations as just another programmable task. But such fundamental changes to the ways of delivering infrastructure and software in turn require a fundamental change to the implementation of an adequate level of security.
Organisations focusing on only providing solutions faster and more efficiently by applying the DevOps-approach without having strong security principles baked into their overall software development and operations processes are sooner or later, but inevitably, destined to run into information security disasters at an unprecedented scale.
This document aims at leveraging the benefits of modern, agile and DevOps-style methodologies while satisfying strong, state-of-the-art security requirements. It recognizes the fact that security in an agile environment also has to embrace agile approaches. This is achieved by laying a strong and stable foundation for the definition and integration of security requirements into agile software development processes from the beginning together with agile system operations as part of a modern provisioning process for IT services. For a cross-organisational approach we cover recommendations for adequate team and skill development, organisational recommendations and business-, software development-, operations- and overall technology-oriented recommendations.