Drupal GovOps Security

"DevOps" is an IT movement and strong force in the Drupal Community more commonly associated with the private than the public sector. With a strong focus on process improvement to optimize the application development pipeline, DevOps allows big and small companies alike to deliver web applications with previously unimaginable speed and reliability, at frequencies sometimes shorter than a day. At first glance, such agility may seem incompatible with Government IT security standards and frameworks focused on layers of complex controls and careful, methodical development and deployment processes. DevOps also commonly employs open source software, which faces new questions in light of recently discovered serious security vulnerabilities such as Drupalgeddon, Heartbleed and Shellshock. This session will look at how DevOps concepts such as continuous integration and tools, and specific technologies including Jenkins, Gerrit, Phing, Zap, Puppet, and Docker, can actually help us not only streamline application delivery, but also enhance overall security and effectively support important Federal initiatives including the Cybersecurity Framework and Continuous Diagnostics and Mitigation (CDM) Program by fostering automation, agility, and collaboration between developers, system administrators, and security professionals.