One of the key things that make DevOps deployments possible is more automation to make things more reliable. These tools include things like Jenkins, Ansible, Chef, Puppet, SaltStack, and even tools like Hubot, and concepts like Infrastructure as Code, Test Automation, and Test Driven Development, Continuous Integration, Continuous Delivery, and ChatOps. These tools have changed the face of system administration in the last decade. Unfortunately, security automation has lagged significantly behind the DevOps movement.
Getting your organization into security compliance is a lot like eating an elephant. It’s a daunting task, but there’s really not much you can do but eat it one bite at a time. A recent Verizon survey indicated that 80% of all organizations surveyed indicated they have trouble staying in compliance. For these organizations, they get to eat that elephant again and again – and worse yet, under the critical eye of an auditor. Once you eaten the elephant, you don’t want it to become an annual event.
Computer security is problematic today, is expected to get worse for years to come. The security field is widely acknowledged to be suffering from a shortage of qualified security experts. Many people believe that significant improvements in automation are the only way to address this growing problem. Compared to the level of automation that system management has experienced in recent years, security has been estimated to be at least a decade behind.
Our IT Best Practices community was created to help support security automation efforts. We aim to collect, categorize and curate mechanically-verifiable best practices for servers, services and networking, in support of the idea of “best practices as code”.