Why DevSecOps and not just DevOps?
Source; Gartner

Why DevSecOps and not just DevOps?

Amazon Web Services, a premier proponent and purveyor of DevOps services defines DevOps as:

“The combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.

Under a DevOps model, development and operations teams are no longer “siloed.” Sometimes, these two teams are merged into a single team where the engineers work across the entire application lifecycle, from development and test to deployment to operations, and develop a range of skills not limited to a single function.

In some DevOps models, quality assurance and security teams may also become more tightly integrated with development and operations and throughout the application lifecycle

These teams use practices to automate processes that historically have been manual and slow. They use a technology stack and tooling which help them operate and evolve applications quickly and reliably. These tools also help engineers independently accomplish tasks (for example, deploying code or provisioning infrastructure) that normally would have required help from other teams, and this further increases a team’s velocity”

?When security is the focus of everyone on a DevOps team, this is sometimes referred to as DevSecOps. Therefore, security is the concern of developers, testers, network engineers, infrastructure experts (Compute, Server, Network and Storage management), and production (operations managers).

With DevSecOps, enterprises can develop modern applications securely by focusing on four key areas

1.??????Web based attacks (e.g., OWASP Top-10)

2.??????Catching security “bugs” early in the development process. This reduces remediation costs five-fold (Source:?Gartner)

3.??????Continuous Integration / Continuous Delivery (CI/CD) processes and tools to offer real time compliance for HIPAA, FINRA, PCI –DSS, FedRamp and other regulatory regimes

4.??????Instrument and monitor threat landscape in real time using advanced threat correlation, logging, monitoring, and alerting, and to provide excellent customer service.

Since most applications are now delivered via a web browser, discovering web-based vulnerabilities is more important than ever. The Open Web Application Security Project (OWASP) is a leading industry security association released the most common types of vulnerabilities in web-based applications through its top 10 list for 2021:

·???????Broken Access Control

·???????Cryptographic Failures

·???????Injection

·???????Insecure Design

·???????Security Misconfiguration

·???????Vulnerable and Outdated Components

·???????Identification and Authentication Failures

·???????Software and Data Integrity Failures

·???????Security Logging and Monitoring Failures

·???????Server-Side Request Forgery (SSRF)

We also stress that compliance with regulatory regimes e.g., HIPAA, PCI-DSS, FedRamp are critical for meeting client requirements. DevSecOps covers all the major technical components for complying with compliance and/or security requirements.

Since DevSecOps is a critical to building web-scale applications, and to discover vulnerabilities, security engineers working in DevSecOps must cover at least the following:

1.??????Source code analysis for security vulnerability discovery

2.??????Open-Source vulnerability discovery

3.??????API management and behavior?

4.??????CI/CD automation to speed up application delivery

5.??????Secrets Management and access control across the SDLC

6.??????Kubernetes / Container security?

7.??????Logging and monitoring

8.??????Real time application monitoring

9.??????Runtime security management

10.??Penetration resting

?Each of the items listed above can and should be detailed by any DevSecOps team worth its salt. If your team is not paying attention to any of these core vulnerability discovery processes, you should ask why?

If you need more information on how DevSecOps should be implemented in your environment, please reach out [email protected]


要查看或添加评论,请登录

Feisal Nanji的更多文章

  • 3rd Quarter Results -- Stock MArket

    3rd Quarter Results -- Stock MArket

    We move into fall in two days. So, this is an appropriate time for a Q3 review of the market.

  • Nvidia - Hell's Kitchen?

    Nvidia - Hell's Kitchen?

    Don't fret! if you own Nvidia stock, you will not jump out of the frying pan into a fiery crash. Nvidia is not a flash…

  • The Best Wine and the Best Security

    The Best Wine and the Best Security

    When I was young I used WordPerfect and Lotus123 . Amazing stuff! I could easily build financial models, or write tomes…

  • The World is Going Nuts: Financial Forecast 2024

    The World is Going Nuts: Financial Forecast 2024

    The year 2023 is on track to be as eventful as 1995, and this means it’s a really, big, big deal. To explain.

    4 条评论
  • Freedom through Security Training

    Freedom through Security Training

    SECURITY AND AWARENESS TRAINING; A PRIMER Introduction The Ponemon/IBM Data Breach Study of 2019 notes that human error…

    2 条评论
  • RE-IMAGINING HEALTH CARE SECURITY: LESSONS FROM THE FIELD

    RE-IMAGINING HEALTH CARE SECURITY: LESSONS FROM THE FIELD

    At Techumen we recognize that health care providers have highly complex clinical and business processes. In turn, these…

    2 条评论
  • Efficiently Gauging 3rd Party Security Risks in Health Care

    Efficiently Gauging 3rd Party Security Risks in Health Care

    OBJECTIVE A major challenge for any health provider of significant size is to understand and manage the security risk…

    3 条评论
  • MEDICINE 2.0 – News from the future and understanding security’s role

    MEDICINE 2.0 – News from the future and understanding security’s role

    The first CRISPR babies have arrived in China. This event portends for vast new dabbling in genetic engineering.

    1 条评论
  • HITRUST -- You've come a long way baby...

    HITRUST -- You've come a long way baby...

    I first took the HITRUST Assessor course in 2009 and was disappointed. Roughly, the aim of HITRUST then, as it is now…

    3 条评论
  • Security and Digital Transformation

    Security and Digital Transformation

    The move to the cloud, to the internet of things, and the full embrace of deep learning (AI) is resulting in a massive…

社区洞察

其他会员也浏览了