Skip to main content

Death to Security Audits and Long Live Compliance

My idea security situation is one that never needs an audit.  It should be proactive and not let you hurt your self or require you follow a "Policy".  The future, especially in cloud environment, should be solutions like Chef Compliance and Dome 9 Security.  I am not saying these solutions are the ones you should pick but they are the ones that in body the principles you should have.  Your environment should be one that never gets audited.   It only tests your security controls.  Even the test could be automated, so that you can prove your compliance is in place and your new admin can't open port 3389 on your firewall or grant god permissions to accounts in your environments.

"This will never be us!!"  I hope you don't think this.  As I have said many times, this is a journey of continuous improvement.  Find ways to meet compliance through automation and prevention.

Comments

Post a Comment

Popular posts from this blog

2020 State of DevSecOps by Accurics

 This is an excellent report for all IT Pros and Engineers.   Highlights: Storage is most impacted solution Open security groups or network configuration Secrets are not so secret Unused resources are not secure. Take a look at these.  Look again.  These are not highly skilled problems.  They just need guidelines and proactive management.  The article uses policy as code as a solution for many of the problems.  I will drill into each of these more in the future.  I wanted to get the awareness out first and then, come back to solutions.  
Post a Comment
Read more

Manage IT by Johanna Rothman

I just completed this book. I think it is a really good book which covers a whole lot of software development. This book could possibly be the best book for first time project managers. I believe many of the PMs understand PMM but do not understand software development. This book gives a view of each project role. The only one that it does not cover is Business Analyst or requirements documentation. It does cover QC, development and of course PMs. It gives a PM a view into development processes like TDD, CI and estimation. Many PMs that are new to SD can read this book and get a great start to manager an SD project. If you are a PM or know some, read this book. http://www.jrothman.com/
3 comments
Read more

Matrix Organizations are bad for Software Dev

Development teams need to be teams first and company people second. What happens when your team wants to start using user stories and index cards, but your analyst team manager thinks Use Cases are the best way to document requirements? How about when your QA process is not mature and you keep releasing with defects but the QA manager does not do anything about it? How about your project manager never buys into the team and only cares about being on time and on budget because their review is based on it. Maybe the tech lead wants requirements that never change and never lets the client change their mind. The technical manager taught your tech lead and agrees with everything the tech lead says. Agile or what I like to call "Successful Teams" are teams. They do what it takes to do what the customer wants, deliver features. I am not saying only agile teams are successful but successful teams are agile. If your organization is matrix, get your leadership buy in to override...
3 comments
Read more