Stay up to date with enterprise technology trends
Get updates that impact your industry from our GigaOm Research Community
“In a relatively short time, we’ve come up with a system built to counter the destruction of nuclear weapons and make it vulnerable to toasters.”
Jeff Jarmoc’s Sadly funny tweets Internet security after the epic Dyn DDOS 2016 attack speaks volumes about the challenges facing every business today. Those are: Security doesn’t work if it is after a thought or a start.
That is the central message of the most recent report by GigaOm Research Vice President Jon Collins, “The Key Criteria for Evaluating DevSecOps Tools”. As Collins notes, the increasing speed of development and innovation provided by DevOps processes has one downside – it can overwhelm the critical discipline of crypto and asset security.
“In an ideal world, developers will also be security engineers and will build appropriate risk reduction features into their software applications, as well as follow the proper processes. and adopting policies to mitigate potential risks, ”Collins wrote in the report.
DevSecOps’ growing discipline brings security into the DevOps process, providing structural assurance that the code and content will be designed with security in mind. Collins identifies four main features of DevSecOps:
- Includes the most advanced, cloud-based security best practices, such as security by design, deflection, and untrusted architecture.
- Apply best practices to balance the need for growth speed and agility with the need to minimize the risk (and cost) of a security failure.
- Assist developers and engineers by providing tools that enhance process / pipeline, management, and operational capabilities.
- Deliver value by building on architectural and software vulnerability scanning, enhancing applications and infrastructure, and other well-established IT security areas.
Collins describes how DevSecOps solutions can be deployed as standalone tools and consoles or as solutions that integrate mining into existing frameworks. He gives a four-point description of how DevSecOps interacts with existing processes, as shown in Figure 1.
Figure 1: How to apply cybersecurity on artifacts, pipelines, and targets
- Creation: Supports collaborative development of application-specific policies, which can be stored as code.
- Development: Provides handrails and automatic remediation potential, potentially tied to an integrated development environment.
- Inspection: Provides a clear view of outstanding risk based on multiple scan and test sources.
- Deployment: Enables delivery visibility so stakeholders can deploy knowing that both the application and the infrastructure are secure.
DevSecOps’ arena is young and evolving, with tools often supporting DevSecOps concepts in part or according to rubrik of other disciplines. That will inevitably complicate decision-makers on the IT decision matrix, but Collins recommends businesses first consider how they will participate in a DevSecOps initiative. For example, he advises IT organizations to take a look at existing practices and develop an understanding of how incumbent tools address known problems. He also encourages a small-starting approach, limiting the original DevSecOps initiatives to a closed development team or team, so that learning can continue.
Ultimately, Collins says DevSecOps is equally as successful in thinking as it is in terms of tools and practice:
Security is not the poor grandchild of DevOps-based innovation, with budget owners prioritizing short-term delivery goals and delivery speed. [and] Accelerated compared to long-term risks. “
Learn more: Key criteria for evaluating a DevSecOps solution