Making the Shift for a Complete Security Approach
November 18, 2019

Dan Hubbard
Lacework

In today's development lifecycle, fast, reliable and efficient define the model. DevOps is the driving force behind efficient software development as DevOps teams are now both reflecting and defining business models as they operate in a continuous cycle of development, integration, deployment and innovation. This coordination allows not only for organizations to be far more responsive, but also for speed to define the operations and data that function in runtime.

Microservices, container orchestration, virtualized machines; these and other tools have created an entire industry to support the fast, continuous development approach. But while efficiency and speed bring competitive advantages, something is still missing: security. With the luxury of speeds comes the by-product of overly pushed data during the development phase. This opens the question of which is more important — speed or security?

The reality is that while we all strive for fast and efficient solutions; the integrity and security of the work are compromised. The lack of coordination witnessed in recent cyber-attacks calls attention to the differing ideals of SecOps and DevOps teams.

In an attempt to merge these seemingly conflicting efforts, let's look at just a few of the latest security approaches and how to encompass the process of shifting left in order to apply concepts of security during the development and delivery stage.

Track Vulnerabilities vs. Being Vulnerable

Tracking vulnerabilities is a no-brainer but what you really want to know is how you have become vulnerable in the first place. This means you need to combine the latest vulnerabilities with your risk and exposures in your infrastructure. If you have a vulnerability that is open to the world that is a lot different than one that is sitting pre-deploy in your image repository.

As the lines between development and runtime overlap more and more, and because there is such a heavy reliance on the speed and output coming from DevOps, security has to operate at every point where data is created, transacted, integrated, and applied. Anything pushed into production that has a vulnerability creates the potential for a security issue later. Catching it while it's being created delivers demonstrable value because it reduces the burden on security operations teams and increases the availability of services.

What's needed is a complete approach not just a "unified" approach. Instead of pulling together functionality from various sources of IP, you can instead apply already underlying technologies to extend the security visibility and detection capabilities across everything an organization's infrastructure and data touch.

A Complete Security Approach

By extending security to the left side of the application continuum, developers participate in their organization's security approach; automation gives them the ability to actively contribute to effective security without placing constraints on speed or agility. The result is an organization-wide approach to the security and compliance of data and operations. This means:

Development teams can deploy services that have been developed with the discipline of security automatically embedded in their innate processes. Using the visibility and threat detection of a security platform, they can identify unexpected risks and threats much earlier in the development cycle. This also provides them with a greater understanding of where issues happen so they can create processes that eliminate them in the future. DevOps teams can rely on built-in security protections that are already blessed by the organization, which accelerates their development cycles.

Security teams will learn more from the results of anomaly detection and will benefit from continuous security and compliance in a way that gets them out of reactive mode and takes more control over DevOps and other IT operations. With some organizations pushing increasingly massive numbers of fixes and changes into production every day, security has to provide a way to monitor, detect, and alert. Complete, continuous security and compliance delivered with automation is the most effective way to do this.

Business teams are ultimately the biggest beneficiary of this modern approach. The dev process is accelerated, quality is improved, and compliance is monitored and addressed before it becomes a problem. Rather than accepting the inherent tension between DevOps and security teams, the business benefits from faster delivery, more security production, and an established place in their respective market.

By using a security approach that is complete and has been designed specifically to meet the challenges of public cloud environments in both build-time and run-time operations, organizations can take advantage of a security-first model that enables continuous visibility, automation, and the ability to move fast. This will not only strengthen security, but it will also provide compliance and DevOps teams with the tools and processes they need to successfully meet the requirements of the cloud era.

Dan Hubbard is CEO of Lacework
Share this

Industry News

December 10, 2019

Redgate Software launched its fourth annual State of Database DevOps Survey.

December 10, 2019

Compuware has signed a definitive agreement to acquire the assets of INNOVATION Data Processing, a provider of enterprise data protection, business continuance and storage resource management solutions serving the mainframe market.

December 10, 2019

Dynatrace announced its Autonomous Cloud Enablement (ACE) Practice to accelerate DevOps’ movement to autonomous cloud operations.

December 09, 2019

NS1, announced the expansion of its suite of integrations to include Kubernetes, Consul, Avi Networks (VMWare NSX), NGINX, and HAProxy.

December 09, 2019

CloudBees announced an extension of its partnership with Google. As a Google Cloud Run launch partner, CloudBees will offer developers more flexibility in their deployment of containerized applications.

December 09, 2019

EPAM Systems has expanded its crowdtesting software solutions to enable user story testing.

December 05, 2019

Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.

December 05, 2019

Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.

December 05, 2019

Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.

December 04, 2019

CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.

December 04, 2019

Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.

December 04, 2019

WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.

December 03, 2019

Styra is addressing one of the most significant enterprise blockers of Kubernetes: compliance. With Styra, enterprises can move Kubernetes clusters into production en masse while complying with traditional governance, audit, and compliance rules and regulations.

December 03, 2019

Nureva added 13 agile-themed templates to Span Workspace, Nureva’s expansive cloud-based digital canvas for visual planning and team collaboration.

December 03, 2019

Threat Stack announced support for AWS Fargate in the Threat Stack Cloud Security Platform.