How DevOps and Development Can Adapt to the New Normal - Part 5
November 20, 2020

DEVOPSdigest posed the following question to the development community: How should DevOps and development adapt to the new normal? In response, DevOps industry experts offered their best recommendations for how development teams can adapt to this new remote work environment. Part 5, the final installment in the series, covers security.

Start with: How DevOps and Development Can Adapt to the New Normal - Part 1

Start with: How DevOps and Development Can Adapt to the New Normal - Part 2

Start with: How DevOps and Development Can Adapt to the New Normal - Part 3

Start with: How DevOps and Development Can Adapt to the New Normal - Part 4


For a long-term, remote work environment to be safe and successful, security tools and processes need to be fully integrated throughout every stage of the development cycle. It's time to build a DevSecOps culture. To do this, form a team that seamlessly embeds security within engineering. You'll need security team members to have expertise up and down the stack — think networking, application access, compliance and architecture. Have security take part in standups and help with scrum planning and execution. Set up real time communications channels, like a Slack channel and email alias — destinations where developers can get input from security as they code. The result? Developers know they can solicit feedback from security at any point in the development lifecycle. And that creates a full-on, immediate feedback loop, which makes it rare that security concerns bubble up in the late stages of the development cycle.
Rob Juncker
CTO, Code42


While deployments are faster with individual contributors working remotely, DevOps leaders need to make sure that they balance the speed with security in order to successfully transition and adapt to remote work.
Rahul Varshneya
Co-Founder and President, Arkenea


The COVID-19 pandemic has changed working conditions in a profound way. Budget cuts and new workflows owing to a remote structure are causing new strains on DevOps teams. In the face of these challenges, the use of automated technologies and approaches across the entire development cycle must become a priority for improving operational efficiency. The functionality these tools provide by boosting productivity without increasing costs or slowing development cycles has become essential, especially as the pandemic accelerates the rate of patches and new releases as organizations attempt to adapt to this new normal. As organizations adjust existing DevOps methodologies in the context of the pandemic with the goal of increasing release frequency, automated security technologies within the continuous integration, delivery, and deployment (CI/CD) toolchain will be key to maintaining agility.
Matt Rose
Global Director Application Security Strategy, Checkmarx

The pandemic and resultant work from home of IT and development teams has increased the vulnerability of software. Strong security measures are needed to be in place before every deployment. Automated security checks for checking vulnerabilities in your architecture are a must when teams are working remotely. Automated infrastructure checks need to be implemented to minimize the chances of vulnerabilities through human error.
Rahul Varshneya
Co-Founder and President, Arkenea


The new normal of a highly remote workforce is increasing the requirements for DevOps teams to deliver software capabilities — fast. As DevOps takes off, the spotlight is shining on the need for strong security around those applications. And while developers are now being measured on both the quality and security of their code, they lack the tools and skills needed to meet security expectations. What developers need is an application security automation and orchestration platform that unifies DevOps and security teams by making it easy to integrate security into development without changing the way developers work. By doing so, these teams are able to join forces to ensure the software they deliver is of the highest quality — and the most secure possible.
John Worrall
CEO, ZeroNorth


With a remote workforce, you dramatically increase the attack surface of your network. Every private laptop and VPN used by workers at home represents an additional endpoint that can be exploited by hackers. For remote DevSecOps teams working with Kubernetes, it's important that role-based access control (RBAC) policies are tightened so that workers only have access to containers when absolutely necessary, limiting the ability for attackers on compromised endpoints to propagate attacks laterally between pods and containers, or to escalate privileges and access sensitive data. If attackers do gain entry, Kubernetes audit logs can reveal evidence of anomalous behavior. Reviewing the audit logs can also bring to light evidence of misconfigured RBAC and other vulnerabilities in security policies. With machine learning, you can automate audit log monitoring to flag possible threats before the damage is done.
Amir Ofek
CEO, Alcide


DevSecOps teams should focus on building out their PAM solutions to avoid credentials being stolen as users VPN in from remote locations, which may not have secure MiFi or WiFi.
Russell Rothstein
Founder and CEO, IT Central Station

Since the shift to remote work, DevOps has completely taken over. Agility is now king. Organizations are using containers, microservices and serverless compute such as lambda that are blending the lines between development, operations and security. As companies look to adopt best practices for DevOps in the "new normal" we are facing, incorporating modern methods of privileged access management (PAM) to protect organizations from cyberattacks becomes key to ensuring the software development pipeline remains intact.
With development, operations and security teams spread out because of the pandemic, organizations need a centralized PAM solution architected in the cloud, for the cloud, to address threats such as credential-based attacks and phishing. PAM solutions that support more modern application-to-application password management (AAPM) approaches can help DevOps teams secure both human and non-human identities even in the remote work environment. Methods such as secure shell (SSH) keys, ephemeral tokens and delegated machine credentials can seamlessly incorporate PAM into the DevOps pipeline. Ensuring secure access that improves an organization's security posture and agility can keep development, operations and security teams on the same wavelength without compromising speed or security.
Tony Goulding
Cybersecurity Evangelist, Centrify


The reality of remote work for software engineering makes the importance of local security approvals even more imperative. To ensure software can be delivered safely at speed, engineering teams should be accountable for the security of changes in the systems they develop and maintain with assistance by a security team that functions as a collaborative advisor. When venturing into unknown situations, like a rapid shift to remote-only work, it can be tempting to implement heavier approval processes — but this ultimately erodes stability by hindering the ability to continuously improve systems.
Kelly Shortridge
VP of Product Management & Product Strategy, Capsule8


The shift to a remote workforce has meant — and will continue to mean — that enterprises are exposing critical container-based applications to the public internet. Increasingly distributed work therefore also increases exposure to both external and insider attacks and data breach threats, if DevOps and DevSecOps teams cannot put countermeasures in place. Run-time auditing and compliance checks through CIS benchmarks, secrets auditing, and custom container audits are basic security requirements that are all the more important for distributed workforces. These strategies will help secure communications and extend the safeguards that protect enterprise networks in distributed work-from-home environments.
Glen Kosaka
VP Product, NeuVector


Given that developers often work with the code that is their employer's core intellectual property — the company's "crown jewels" — their endpoints present a security risk under any circumstances, let alone the expanded attack surface exposed by the shift to more remote and distributed work in response to COVID-19. For companies relying on legacy remote access solutions like VPN, VDI or DaaS, this usually means putting restrictions on endpoints — denying worker access to certain websites; prohibiting third-party applications and/or peripherals; banning the use of personal laptops for company business; denying admin-level permissions on corporate devices, even if each of these restrictions inhibits worker productivity. The answer is to leave those legacy solutions behind and deploy isolated workspaces — OS-based isolation to strongly protect corporate assets, both on corporate-owned devices and on non-corporate devices, allowing developers to work freely without compromising security. An isolated workspace approach puts an end to the outdated notion that developers' freedom of access and corporate security need to be competing priorities.
Marc Gaffan
CEO, Hysolate

Share this

Industry News

October 20, 2021

SonarSource added over 5,000 customers in the last 12 months, reaching the 15,000 commercial customers milestone in record time.

October 20, 2021

Actian announced the general availability of its newly released DataConnect 12 integration platform, demonstrating a continued focus on ease of use for complex data integration and data quality.

October 20, 2021

Salt Security announced new capabilities in its next-generation Salt Security API Protection Platform to secure GraphQL APIs.

October 20, 2021

vFunction announces the availability of the vFunction Application Transformation Engine and the expanded vFunction Modernization Platform, with new, advanced capabilities that enable enterprises to automatically assess, analyze, and manage the full modernization and migration process from start to finish.

October 20, 2021

Mage raised a $6.3 million seed round led by Gradient Ventures.

October 19, 2021

Couchbase announced its Couchbase Capella hosted Database-as-a-Service (DBaaS) offering on Amazon Web Services (AWS).

October 19, 2021

Checkmarx announced the launch of the Checkmarx Application Security Platform to help CISOs, AppSec teams, and developers address the growing and dynamic security challenges they face.

October 19, 2021

Tasktop announced Affinity Modeling for model-based integration in Tasktop Hub, helping Agile and DevOps software delivery teams reduce time to market and develop software faster.

October 19, 2021

Morpheus Data is continuing released version 5.3.3 targeted at enterprises trying to manage a complex mix of VMware, Kubernetes, and Public Cloud services.

October 19, 2021

Okta announced the availability of Okta Workflows as a standalone offering for all customers.

October 18, 2021

Red Hat announced a series of updates in its portfolio of developer tools and programs aimed at delivering greater productivity, security and scale for developers building applications on Red Hat OpenShift.

October 18, 2021

Pulumi released a public Registry that enables developers and infrastructure teams to apply “share and reuse” software principles to the modern cloud.

October 18, 2021

Fugue announced support for Kubernetes security prior to deployment.

October 18, 2021

Sysdig announced the addition of cloud security monitoring functionality to the Falco open source software project.

October 14, 2021

Red Hat announced the general availability of Red Hat OpenStack Platform 16.2, the latest version of its highly-scalable and agile cloud Infrastructure-as-a-Service (IaaS) platform.