These days, security should be part of everyone’s job. This is especially true for DevOps teams, which are responsible for developing, delivering, and maintaining critical applications for many organizations, and must therefore prioritize security as part of their role. But the world of security can seem like a bit of a mystery until you’ve been exposed to it.
If you or someone on your team is looking to learn more about what it takes to run a secure organization today, we have provided a list of resources below, from conferences to reference books to Twitter handles, that are worth checking out.
These days, there are more and more conferences about security where DevOps pros will feel welcome, like the popular Security BSides series. In the words of one attendee, “As a newbie to the Cyber Security Field, BSides means being able to learn and network with veterans in the Security Field.”
There are also DevOps-focused conferences where security is becoming a bigger part of the agenda, like DevOpsDays. At DevOpsDays Austin in 2016, our own Pete Cheslock was there representing Threat Stack. As it turned out, Threat Stack was the only security company in attendance, but nearly half the talks were about security! That’s how you know it’s becoming a big deal in the world of DevOps. I had a similar experience at DevOpsDays Chicago last August, when I discovered that folks in the audience were clamoring to learn more about security-related issues.
For those of you who are interested, the next conference — DevOpsDays Austin 2017 — is coming up in the first week of May, and we definitely recommend checking it out.
Other DevOps conferences often incorporate security content into their line ups as well, suitable for a beginner audience. So it’s worth checking out conferences like LISA and Velocity by looking at their previous and current year lineups, then picking out sessions that focus on security.
And by the way, for those of you who are local to Boston, Threat Stack’s Nathan Cooprider will be delivering a talk called “Eyes on the ground: why you need security agents” at Source Boston in April.
In addition to in-person learning opportunities, DevOps pros can visit lots of great websites to learn about security. We recommend these three in particular:
- Medium’s Starting Up Security: This channel features practical guides to getting started with security at your organization, with strategic topics like how to build a product security team and why you don’t need a chief security officer as a startup, as well as technical subjects like how to investigate CloudTrail logs.
- Krebs on Security: Brian Krebs has been a reporter for more than 20 years and now runs his own website, where he independently investigates and reports on what’s going on in the world of IT security. There’s really no one in the game quite like Krebs. His posts range from how to spot ATM card skimmers to the what to do about the recent spike in phishing attacks to in-depth coverage of various cybercrime trials that are taking place. Krebs on Security is a good place to get a handle on what types of security threats are common today and how your business should think about staying safe.
- Threat Post: Threat Post is run by industry goliath Kaspersky. Though it does have a corporate sponsor, it is an independent and well-produced website full of useful information about security. The site has an entire section devoted to cloud security, and closely tracks many types of threats, from appliance vulnerabilities to IoT hacks to political developments in the world of security and privacy.
- We also encourage you to subscribe to the Threat Stack blog, where we deliver a wide range of technical and strategic content, including lots of posts about the intersection of DevOps and security (a.k.a. SecOps or SecDevOps).
Here are a couple of Threat Stack posts to get you started: The 5 Ingredients of a Successful SecOps Implementation, Will SecOps Finally Close the Security and Operations Gap? A Q&A with Pete Cheslock, and Why Did We Need to Invent DevSecOps? While you’re at it, you might want to check out our SecOps Playbook.
3. Training Courses
If you’re ready to get more formal about it, some great training resources are available for security. We especially like the SANS offerings. These include live and online trainings, as well as GIAC certifications. SANS even offers a degree program, the Master of Science in Information Security Engineering (MSISE), for those who are looking to round out their education and demonstrate professional mastery around security. And if you’re just looking for some resources, SANS also has a great library of free content that is well worth looking into.
These days, there are a lot of great books around security. O’Reilly Media in particular has been putting out solid content about security, and recently they did a DevOpsSec eBook that you can download for free. The book leverages real-world case studies and explains how to “use DevOps to secure DevOps.” We’re big fans of this approach.
If you really want to jump into the deep end, Ross Anderson’s “Security Engineering” is a textbook that many use in teaching information security concepts from “what is information security” all the way to anecdotes about securing nuclear submarines! While this book doesn’t focus entirely on implementation details, it does provide a foundation for thinking about information security when it comes to working on your infrastructure and applications.
5. Social Media
Sometimes the best information and latest learning comes in real-time, and there’s really no better place to get the latest hot take than Twitter. We recommend looking at these folks on the social network to get a pulse on the world of security as it applies to DevOps:
You can also follow us @threatstack!
6. Forums and Online Communities
There’s a whole world of forums and online communities out there where you can have productive conversations and ask tough questions of like-minded folks. I particularly like the HangOps #infosec group on Slack, which you can gain access to here: https://signup.hangops.com/. Beyond Slack, there are a number of strong security communities, and a great example is Stack Exchange.
Final Words . . .
With the above resources, you should have a wealth of information at your fingertips to make the journey from DevOps to secure DevOps a more rewarding and less overwhelming one.
Know about any other great resources worth checking out? Tweet them to us @threatstack!
And finally, if you need some immediate hands-on advice to get started with cloud security in your organization, download your free copy of Jump Starting Cloud Security: A Guide to Starting Your Cloud Security Journey.