Mirantis announced the latest version of Mirantis Container Cloud -- MCC 2.23 -- that simplifies operations with the ability to monitor applications performance with a new Grafana dashboard and to make updates to Kubernetes clusters with a one-click “upgrade” button from a web interface.
It wasn't long ago when operations, development and security teams didn't talk to each other – and probably sat at different lunch tables in the cafeteria.
Fortunately, when it comes to operations and development, DevOps has changed the traditional compartmentalized style of development by eliminating silos. These teams recognize that operational considerations need to be factored into development decisions from the very beginning, and vice versa to achieve optimal performance.
But what about the security team? Security is largely still siloed from operations and development. No doubt, many DevOps teams have some security controls baked into their automation processes, but a recent survey shows there are still alarming gaps.
Survey Says: The Secret is Out
According to the 2018 CyberArk Global Advanced Threat Landscape report, fewer than half of DevOps survey respondents said DevOps and security teams are well integrated and 41 percent say security teams are only brought in at the end of the development cycle. It's hard to defend the notion that security is built into the DevOps process when most organizations admit that DevOps and security teams are not well integrated.
And while development and operations teams can be expected to be knowledgeable about security to a certain point, it is unreasonable to expect them to have the level of security expertise that security teams have acquired through years of experience. The lack of maturity when it comes to DevOps security is made apparent throughout the report.
Many DevOps teams run automatic vulnerability scans or take other measures to eliminate the low hanging security fruit. This is a great first step, but 75 percent of organizations reported they have no privileged account security strategy for DevOps. Even worse, 99 percent of respondents failed to identify the different places privileged accounts or secrets could exist in a DevOps environment.
Privileged accounts, secrets and credentials equal access to an organization's data and infrastructure. With this access, an attacker can impersonate anyone within the organization and take almost anything they want.
Infrastructure-as-code is the engine that fuels DevOps velocity. However, it also means that everything a DevOps team has done, institutional know-how and intellectual property can be more easily stolen.
Making the Case for DevOps Security
Attackers will exploit organizations where they are weak, making unsecured and unmanaged "secrets" – including privileged account credentials, SSH Keys, API keys and more – a new favorite target for attackers.
These secrets are often hardcoded in clear text or publicly accessible, making DevOps a massive security risk to organizations. Attackers know this and are currently exploiting these vulnerabilities and scanning for exposed SSH keys across the internet.
Bottom line – DevOps has changed the game in terms of productivity, but security needs to be a part of the journey. The move from waterfall to agile development has taught us the most efficient time to make a change is at the beginning of the process, which is true of security too.
Security teams need to be included in the DevOps process from the beginning to reduce the cost of changes made later on. Security tools have evolved over time to meet DevOps security teams and not to disrupt DevOps flow or velocity. Any credible security solution will need the ability to be automated and have a small, if not invisible, footprint on DevOps teams.
Industry News
Pegasystems announced updates to Pega Cloud supported by an enhanced Global Operations Center to deliver a more scalable, reliable, and secure foundation for its suite of AI-powered decisioning and workflow automation solutions.
D2iQ announced the launch of DKP Gov, a new container-management solution optimized for deployment within the government sector.
StackHawk announced the availability of StackHawk Pro and StackHawk Enterprise for trial and purchase through the Amazon Web Services (AWS) Marketplace.
Octopus Deploy announced the results KinderSystems has seen working with Octopus. Through the use of Octopus, KinderSystems automates its software deployment processes to meet the complex needs of its customers and reduce the time to deploy software.
Elastic Path announced Integrations Hub, a library of instant-on, no-code integrations that are fully managed and hosted by Elastic Path.
Yugabyte announced key updates to YugabyteDB Managed, including the launch of the YugabyteDB Managed Command Line Interface (CLI).
Ambassador Labs released Telepresence for Docker, designed to make it easy for developer teams to build, test and deliver apps at scale across Kubernetes.
Fermyon Technologies introduced Spin 1.0, a major new release of the serverless functions framework based on WebAssembly.
Torc announced the acquisition of coding performance measurement application Codealike to empower software developers with even more data that increases skills, job opportunities and enterprise value.
Progress announced a free online training and certification program for Progress® OpenEdge®, the flagship Progress application development platform.
Opsera announced five patents have been issued to enable enterprise engineering leaders and teams to gain unprecedented end-to-end visibility into their software delivery and accelerate the speed and security of delivery, all while maximizing their investment.
DuploCloud announced the general availability of its on-prem solution built on top of Kubernetes, focusing on containerized workloads with near term plans to integrate with on-prem compute, storage and networking vendors.
Postman announced the general availability of Postman Flows, a visual tool for creating API applications. Postman Flows simplifies building software by using APIs as the building blocks, allowing anyone to produce workflows, integrations, and automations in a collaborative environment without needing to write a single line of code.
SecureAuth announced an alliance partnership with HashiCorp®, enabling organizations to leverage SecureAuth’s advanced passwordless authentication and Multi-Factor Authentication (MFA) device recognition.