On DevSecOps: Putting Security Into DevOps Requires a Risk-First Mindset-Part 2
August 27, 2020

Jon Collins
Gigaom

At its heart, cybersecurity is about either identifying, or mitigating weaknesses — a raft of vulnerability management products already exist that can scan infrastructure, network connections, software stacks, and indeed, applications and code, and can potentially recommend fixes, or even apply instrumentation and patches.

Start with On DevSecOps: Putting Security Into DevOps Requires a Risk-First Mindset - Part 1

Note however, that use of these tools doesn't deliver DevSecOps (though it's a start): to make this happen effectively, we need to add the process element. SecOps is an established term to describe operational security practice; DevSecOps brings best practice to the development side of the “Wall of Confusion.” Which raises an important point: be wary of any security tools vendor that claims to have a DevSecOps offering. "Just" having a security scanning tool with an API (so it can be launched from within the CI/CD pipeline) does not a DevSecOps tool make.

However, a range of process support features can help programmers, managers, SREs and so on identify and address security issues before they happen — features such as inline guidance, prioritization of fixes, and integration with repositories/registries so that only “clean” artifacts are deployed.

All of these reduce inherent risk: done right, they do so in a way that aligns with human behavior, for example adding advice in a developer-friendly form. This, too, reduces the overall risk as it makes it more likely for the code to be secure out of the gate.


In addition, a significant element of DevOps is “as-code” in which various aspects of a system and its context can be written textually, and stored under version control, alongside application source. As well as deployment information (which can also be scanned), this can include security policies and profiles, to be taken into account across development and into deployment. The as-code model enables DevSecOps to be policy-driven, and creates an up front opportunity for security and application experts to collaborate, decide, and encode, security measures.

The overall goal of DevSecOps is to give the development process the security it needs, from end to end — security from the outset, rather than laudable, yet somewhat half-cocked shift-left idea (security scanning done earlier is no doubt better but presents an incomplete picture of success).

DevSecOps brings security back into the mix as a first-class citizen — encouraging the incorporation of locks for the barn door early on, rather than fitting them after the horse has bolted. In this way, security can be built in, by design, without being at the expense of agility.

If we could offer one piece of advice, it is to start from the point of view of business risk, and build this into strategy setting at every level

With DevSecOps done right, risks of slow delivery and of future breach can be mitigated in parallel, without seeing one as a threat to the other. And security teams and application teams can work together, rather than feeling like antagonistic neighbors, which reduces risk still further.

If we could offer one piece of advice, it is to start from the point of view of business risk, and build this into strategy setting at every level: the risk of having to fix something later on in the process is just as relevant as the risk of a privacy breach once software is deployed. Security doesn't have to be about prevention, but it does have to be about awareness, that all actions have consequences, not least that a relatively a small investment now may prevent a costly consequence later.

Jon Collins is VP of Research for Gigaom
Share this

Industry News

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.

November 28, 2022

Simplilearn has acquired Fullstack Academy, for an all-cash transaction.

November 22, 2022

Red Hat introduced Red Hat Enterprise Linux 9.1and Red Hat Enterprise Linux 8.7.

November 22, 2022

Armory announced its new cloud-based solution called Continuous Deployment-as-a-Service, now available on the AWS Marketplace.