We are running continuous integration and tests against our software. How do we apply these principles to security? What do you test besides the OWASP Top 10? How long does it take? Does that hold up my deployments? If any code commit may be released to customers at any point, how do I make sure it is secure? What about the production environment? How do I deal with PCI, SOX, HIPAA compliance audits? Do I just use logs, graphs, honey pots, checks, automated tests?
Whether building a web, mobile, or gaming backend, Operations is using development tools to make it work. We primarily focus on systems automation and site reliability engineering. We're interested in the built-in facilities in Linux and the BSDs to programmatically seed and deploy. We primarily focus on Open Source solutions, but it is good to keep an eye out on the alternatives. This includes automated deployment to private cloud (eucalyptus, openstack), public cloud (amazon web services, rackspace cloud and physical hardware. We like to keep all our work in revision control (git, mercurial, subversion) and leverage tools such as Opscode Chef, Puppet, CFEngine3, Pallet to manage our system configurations. Monitoring, Seed, Deployment, High Availability, Maintenance, Security Auditing, Auto-Scaling, Load Balancing, Name Resolution, Performance Tuning, Testing, Rinse and Repeat.