Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/1/2017
01:00 PM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

DevOps & SecOps: The Perks of Collaboration

Organizations can't bypass security in favor of speed, making SecOps a perfect complement to DevOps.

A quick search on the term DevOps shines a very telling light on where people see the value in this practice. Some proponents see DevOps as a faster path to market. Some feel that DevOps encourages faster innovation. Others suggest that entire organizations can literally move faster by virtue of using DevOps for product development. And still others who even think DevOps is TOO fast. Clearly, it's all about speed, baby.

There's nothing wrong with getting things done fast -- especially in the midst of demanding markets with brutal competition. DevOps provides fantastic results for organizations willing to build their product and IT delivery on the model. The rapid delivery of infrastructure, code, and data has powered an array of startups who are using customer feedback to propel them beyond incumbent players. Through continuous integration of systems, user experiences, and behaviors, DevOps adopters are better equipped to serve their customers and predict growing needs. As both a business and technology model, it's hard to disagree with the methodology and practice behind it.

Yet, this focus on speed has often resulted in short-shrift being given to proper security practices. For a team that's desperately trying to keep pace with new revs and beat competitors to market, the sometimes detailed work involved with security gets bypassed in favor of shortcuts and quick fixes. That unfortunately can open holes and risks that lead to major vulnerabilities.

In a 2016 study conducted by digital certificate company Venafi, 79% of CIOs surveyed indicated that they "expect the speed of DevOps to make it more difficult to know what is trusted and what is not." DevOps will continue to prevail as a development and deployment framework, but the speed metric by which it is measured must find a happy relationship with the need for the accuracy metric that dictates security.

Security and the people who manage it share some culpability in this. Most security solutions in use now were built to address an outdated model; they cater to decades-old computer architectures and are subsequently proprietary, slow, and resource-intensive. In most organizations, SecOps evolves slowly and are not prepared to address today's cloud-centric world, where security solutions must be agile, lightweight, loosely coupled, and extensible.

One way that DevOps teams can expand their purview is through the context of security. Ultimately, they need to assess all new data within the context of the controls and compliance requirements that were first introduced during initial development. These teams must evaluate their original threat model with their new environment. For organizations using the cloud, this means updating their defense strategy with the limitations and requirements needed to operate in the cloud. It also means that if they adapt both their development and security operations, they can take advantage of continuous monitoring and automated remediation.

There is some good news, however. With both DevOps and SecOps thought leaders are finding common ground through a marriage of the two and it’s driving a mindset of innovation, speed, and security. DevOps and security teams are collaborating internally rather than remaining stuck in the requestor/approver relationships. This signals an increased attention by organizations to aligning their security goals with the delivery of their products.

This new mindset really amounts to a discipline we can call DevSecOps. It is accelerating security intelligence to keep pace with continuously updated cloud environments that enable teams to detect problems faster, respond faster, and protect their resources more effectively.

We invite you to explore more with our webinar, On the Marriage of SecOps and DevOps. Learn how accelerating security intelligence to keep pace with continuously updated cloud environments enables teams to detect problems sooner, respond faster, and protect their resources more effectively.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36388
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2020-36389
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2021-32575
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
CVE-2021-33557
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.