Your company decides to develop the CRM system by an in-house integrated product team (IPT) and deploy the solution to PaaS provisioned by a public cloud services provider. DevOps is implemented to support the software development life cycle. As a security professional, which of the following is the most concern?
A. The solution is continuously monitored and provides high visibility.
B. The solution is delivered to the staging system on the fly for manual testing.
C. The solution is built automatically once code is checked into the code repository.
D. The solution is deployed to the production system if continuous testing succeeded.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The solution is deployed to the production system if continuous testing succeeded.
Continuous Deployment
Deploying the solution right after the testing is completed successfully is risky because of the lack of authorization. Continuous Deployment means the solution is deployed to the production automatically, while Continuous Delivery means the solution is published to some destination except the production, e.g., the staging or testing area, and ready to be released or deployed.
Continuous Integration
DevOps supports the practice of continuous integration, that is, the solution is built automatically once code is checked into the code repository. However, the build frequency is configurable; for large projects that take much time to build the solution, it can be done periodically, e.g., 4 hours, 8 hours, or at mid-nights (nightly build).
Staging System
The staging system or environment is a semi-production system that has almost the same or identical configurations as those of the production. Microsoft Azure provides a staging feature so that developers can publish the solution to the staging system for last-minute testing; if everything is ready, it takes one click to switch the staging to the production.
Monitoring and High Visibility
It’s a good DevOps practice that the operation team can monitor the solution continuously and get high visibility into the system operations.
Reference
- Continuous Authorization with DevSecOps
- Integrating the Risk Management Framework (RMF) with DevOps
- Integrating the Risk Management Framework (RMF) with DevOps
- Continuous Authorization With DevSecOps
- Trust, Verify, and Authorize with DevSecOps
- Improving RMF Practices Through Automation
- DevOps
- Microservices
- Service-oriented architecture
- Serverless computing
- Continuous Integration vs Continuous Delivery vs Continuous Deployment
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您的公司決定由內部集成產品團隊(IPT)開發CRM系統,並將解決方案部署到由公共雲服務提供商提供的PaaS。該團隊實施DevOps以支持軟件開發生命週期。 作為安全專家,下列哪項最值得關注?
A. 該解決方案受到持續監控,並具有很高的可視性。
B. 將解決方案即時交付到過渡(staging)系統以進行手動測試。
C. 一旦將代碼簽入代碼存儲庫,該解決方案就會自動構建。
D. 如果連續測試成功,則將解決方案部署到生產系統。