Business management likes DevOps — they get things done. DevOps produce code, applications and cloud-based services in response to demands from other lines of business. While DevOps took its name from the coming together of traditional Developers and Operations team practices to work towards a common goal, these days DevOps has become a catch all term for various team structures that are responsible for the writing, testing and deployment cycle of code within an organization — delivering a continuous internal software supply chain that the organization feeds on.
While the structure and hierarchy of DevOps teams will differ from one organization to another, the common theme of all DevOps teams is speed, automation, and reliance on cloud infrastructure. Increasingly, those writing code are also responsible for code testing and committing code to popular repository tools such as GitHub, GitLab and Bitbucket for other developers or deployment teams to pick up. It’s here that some security risks are introduced into the DevOps process.
Such is the demand for rapid delivery that code can be deployed with errors added after the original clean code was committed by the original, authorized developer. Those shipping code to production have no way of knowing if that code is original or has been modified with possible errors or vulnerabilities added by malicious actors. To counter these risks, organizations are looking to add a security layer within DevOps structures that limits access to code repositories and software lifecycles only to authorized and authenticated identities within the organization. In many complex organizations these identities can be machine or human and the number of identities run into the thousands.
This Executive View considers the Beyond Identity Secure DevOps platform which uses unique commit signing keys and APIs to verify the authenticity of all developer identities.