What is DevSecOps and why is it important?
To stand out against their competition, many organisations seek to roll out software updates more quickly and frequently so that they’re constantly responding to customer needs. In recent years, this has pushed forward the DevOps movement, which conjoins teams from software development and IT operations to streamline software and app creation and quickly implement updates or patches. As efficient
as DevOps is, however, it can be lacking on the security front. If you don’t build security into your software and apps from the start, you open your organisation up to a whole host of problems.
Security by design
DevSecOps is a solution to this, in which security is built into the development lifecycle. Security decisions are made at the same time as development and operational decisions, incorporating security into applications from the beginning rather than hastily applying it when issues arise.
The imperative for privacy and security by design has grown in urgency following the introduction of GDPR in 2018, which brought far tougher data protection measures and a greater emphasis on responsibility and transparency. According to Geoff Parkhurst, CTO of Vouchercloud, the risk to companies’ bottom lines has pressed them to implement security practices as high up the chain as possible,
Through a DevSecOps framework, security becomes a natural component of the development process. It’s also easier and cheaper for security measures to be built into the software from the beginning, and, by pre-empting breaches down the line, you achieve both improved security and customer satisfaction.
Keeping ahead of the criminals
Any company that wants to boost efficiencies and build secure software should use DevSecOps advises Derek Weeks, co-founder of the online community All Day DevOps. He notes that in the past decade the time between a vulnerability announcement and its exploits appearing in the wild have been crunched from 45 days to just three.
SEE MORE What is NoOps? SEE MORE IT Pro Live: Scaling enterprise DevOps with a platform team approach SEE MORE CloudBees: DevOps initiatives increased during the pandemic SEE MORE Hybrid cloud complexity fuelling appetite for automation, says Puppet CTO
“For example, with the last major Struts vulnerability, multiple breaches occurred within three days of the vulnerability announcement at organisations including Equifax, Okinawa Power, GMO Payment Gateway and Canada Statistics. Teams that cannot deploy security updates within this timescale find themselves at significantly more risk of successful adversarial attacks.”
In Sonatype’s DevSecOps Community Survey, which asked nearly 6,000 IT professionals why they have implemented DevSecOps practices, Kayla Altepeter, a senior staff engineer at Merrill Corporation, said: “Security is important to us, yet if we take a traditional security approach our speed of development is severely slowed down. We need to be secure and move fast”.
This perfectly captures why DevSecOps matters, says Weeks. “It’s not just about automating. It’s about automating faster than evil.”
Implementing DevSecOps also gives businesses a chance to reassess who has access to what systems and information. As Schoenfeld points out, “despite how convenient it may be, it’s a really bad idea to allow everyone complete access to everything”. Companies need to use DevSecOps to limit access across the company so that only people who need privilege across the system can use it.
“This way enterprises can reduce the number of potential breaches, creating a more robust cyber security position,” he notes.
Downsides to DevSecOps?
Security does need to be built-in as part of the culture, but although DevSecOps certainly points business leaders in the right direction, Parkhurst believes it still needs time to reach maturity. He’s concerned that it’s become a buzzword, which could mean it turns into a box-ticking exercise allowing businesses to say they’re “doing” DevSecOps without it actually implementing it correctly.
“What I’ve seen – and this is a risk with any new buzzword-led process – is half-hearted adoption. The risk is that, instead of shifting security left, businesses just shift the person responsible for the security to the left…That’s always the risk with the latest ‘big thing’, that some well-meaning project manager or tech leader will try to push changes through without fully considering the ecosystem.
“The result is a security specialist now sitting closer to the start of the process. That’s certainly a slight benefit but the overall perception of security as a big stop sign for developers will still be a reality. It solves nothing.”
Culture change challenges
Then there’s the challenge of DevSecOps adoption, as this requires a complete cultural change within the business. This can be particularly difficult if companies already have a rigid development process and different security procedures in place, notes Schoenfeld.
Liz Rice, chair of the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee, advises that it’s important to empower employees and encourage them to adopt tools and processes that support their new style of working, especially in security, where the traditional tools are no longer sufficient. She points out that companies adopting DevSecOps must invest in significant education for staff, as these new tools and processes will also require their users to learn new skills.
“The transition is not simply a question of flipping a switch,” agrees Steven Furnell, a senior member of the IEEE and associate dean and professor of Information Security at the University of Plymouth. “It requires additional effort, such as ensuring staff are fully skilled or trained, and equipped with the necessary tools. As such it will require a culture change. As with many aspects of security there’s a price to pay but it should be seen as an investment rather than an overhead.”
Date: 2019-11-27
URL: http://feeds.itpro.co.uk/~r/ITPro/Today/~3/VWBqgHTLq0o/what-is-devsecops-and-why-is-it-important
itpro.co.uk
| AWS launches visual data preparation tool DataBrew (2020-11-12) | Amazon Web Services AWS has announced the general availability of its new visual data preparation tool that lets users clean and normalise data without having to write code Built as part of itsAWS Glue servicethe new DataBrewtool aims to makevisual data preparation more accessible for a greater number of users SEE MORE EU charges Amazon over misuse of third-party data SEE MORE AWS is the latest cl.. AWS launches visual data preparation tool DataBrew |
| Most organizations aren’t tracking their IoT assets (2020-11-17) | According to a new report most organizations arent tracking their IoT assets and cost was a key reason According to the 2020 State of IoT Asset Tracking Report from Helium Digital Matter and Semtech over half of respondents 52 % reported having no tech-based asset tracking despite the urgency and high demand to do so Of those not using or searching for tracking solutions a quarter of them said the.. Most organizations aren’t tracking their IoT assets |
| Why you should prioritise employee experience (2020-07-10) | An organisation is only as good as its employees And ensuring that both your current and potential employees view your company in a positive light is vital to talent retention and productivity Putting your staff first is not just the right thing to do it makes business sense A recent Gartner survey found that 64% of HR leaders are making employee experience a bigger priority as we emerge from the .. |
| BenQ PD3220U review (2020-11-20) | It isnt enough for manufacturers to lure creative pros with the promise of calibrated panels that have a Delta E under two anymore thats rapidly becoming the standard for mid-range screens Instead the likes of BenQ must entice people with features beyond normal monitors BenQ hopes that its Hotkey Puck G2 will do exactly that This connects to a port at the rear and provides a handy dial for control.. |
| What is two-factor authentication? (2018-06-26) | With the threat landscape ever-changing its essential to take measures both straightforward and sophisticated to safeguard your organisation Cyber threats are widespread and are only becoming more prevalent for businesses A report in April revealed that asmany as 165 million Brits fell victim to cyber crime over the pastyearcosting organisations a staggering 14 billion The threat of cyber crime ha.. |
| Hacker claims to be selling C-suite executives' Microsoft credentials (2020-11-30) | Hackers are selling access to C-suite executives Microsoft accounts for anywhere between $100 and $1500 according to reports The credentials arebeing sold on the dark web by a Russian-speaking hacker on a forum called Exploitin ZDNetreports On sale are email accounts with their passwords for Office 365 and Microsoft accounts ranging from CEO COO and CFOto financial directors and accountants SEE MO.. |
| AI-based reminiscence pilot aims to stimulate recall in memory care patients (2020-11-19) | Telememory a telehealth startup that uses artificial intelligence AI to power its digital reminiscence technology is partnering with Delmar Gardens Enterprises to create an Alpha testing program to connect memory care patients and families to their legacies The program will also track patients emotional responses to help improve their health and happiness Telememory is on a mission to harness the .. |
| AWS launches next-gen GPU instances for machine learning (2020-11-04) | AWShas launched its latest GPU-equipped instances aimed atmachine learningand high-performance computing HPC workloads CalledP4d the new instances come ten years the first set of GPU instances were launchedThey feature Intel Cascade Lake processors and eight of Nvidias A100 Tensor Core GPUs These connect via NVLink with support forNvidiaGPUDirect and offer 25 PetaFLOPS of floating-point performanc.. AWS launches next-gen GPU instances for machine learning |
| Nokia: 5G is 90% more energy efficient than 4G (2020-12-03) | 5G networks are up to 90% more efficient than 4G networks according to a new study conducted by Nokia and Telefonica The findings are based on a three-month study of Radio Access Network RAN power consumption in Telefonicas network using Nokias AirScale Base Stations and AirScale Massive MIMO Active Antenna solutions Both companies are committed to limiting global warming to 15C The research concl.. Nokia: 5G is 90% more energy efficient than 4G |
| The IT Pro Podcast: The secrets of confidential computing (2020-06-25) | Weve heard a lot about cloud computing edge computing and various other kinds of computing but confidential computing is less well known As an emerging encryption model it promises to offer greater protection to data as its being used supplementing at-rest and in-transit encryption Protecting against attacks like memory dumps and malicious root user compromise the development of confidential compu.. The IT Pro Podcast: The secrets of confidential computing |
