After a major security breach, is it time to rethink DevSecOps?
Recent attention Hacking at Rockstar Games and Uber It may not be due to DevSecOps issues, but a discussion of this aspect of security may be worth doing now.
One of the goals of applying the DevSecOps approach to software development is to introduce security earlier in the cycle rather than later. Whether it leads to better security is debatable.
Speed of development and deployment with built-in security are some of the expected benefits of DevSecOps, but even without compromise, it can mean that different types of teams will have to adapt to each other. What if those compromises included relaxing the security to deliver the software?
“We need to focus on tools and automation to keep security engineering moving at the same speed and visibility. oak 9, a security platform for developers. Security engineering has matured beyond using Microsoft Word documents to define how security is implemented, he said. According to Vyas, security automation could help us better understand the potential of DevSecOps. “Why can’t a security engineer sit down with his DevOps team and truly unlock DevSecOps?”
Coordinating the elements of DevSecOps requires focus and understanding. Especially when the elements are used to working independently of each other. Digi International“Security and operations may not really work in the business unit where the development actually takes place. [in]”
Changing DevSecOps culture
This can get the team caught up in other tasks, he says, and may make certain codebases less of a priority for them. DevSecOps culture has changed to introduce more security testing, he says, but development teams may be frustrated at first. “A lot of false positives get flagged. There will be some fatigue there,” he says.
It’s much more expensive to introduce a fix into production after a problem occurs, Heller says, so there needs to be more mutual understanding. Most security tools are designed around incidents that have already happened. In other words, there may be gaps in our perception of new types of attacks. “many [zero-day vulnerabilities] The source of the breach may simply be something we didn’t know about. Or maybe it’s the human factor,” he says.
Bold honesty can be part of the remedy for holding up DevSecOps in the face of rising security threats. “Every business in America, every company in global IT, at some point should admit that they are going to be hit by a breach that they won’t notice for six to 12 months,” he says. Security should be fully integrated into his DevSecOps team, he says.
DevSecOps is often tied to CI/CD for customers, and the pressure to roll out features as quickly as possible can compete with another aspect of the strategy, Heller said. “Security people want to slow things down so that what customers are getting is not at risk,” he says.
Importance of prioritization
Understanding the true severity of potential risks can help bridge the gap between these schools of thought and prioritize how organizations respond, says Heller. “You can’t do it all, you need a rubric that enables DevOps autonomy,” he says. “DevOps doesn’t want security to examine every finding in software configuration tools.”
In your rush to automate all things IT and security, you may want something from DevSecOps capabilities. “We don’t spend time manually figuring out what we’re doing before we do automation,” he says. For example, developers can create automations for pipeline operations tasks, but operations may not understand the codebase, which can lead to confusion. “They need to be there to help build it together, so they need to understand what’s going on in this way,” he says. Putting security tools in the pipeline with other teams that don’t understand can also lead to confusion and vulnerabilities.
“Sometimes operations and security are under the umbrella of IT, while others are more focused on other business goals,” says Heller. “In order for his DevSecOps team to truly reach the level of understanding required, they need to be embedded as a team and work for that business unit so that their goals are the same.”
What to read next:
4 lessons learned from the latest Uber breach
https://www.informationweek.com/devops/is-it-time-to-rethink-devsecops-after-major-security-breaches- After a major security breach, is it time to rethink DevSecOps?
