Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/1/2017
01:00 PM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

DevOps & SecOps: The Perks of Collaboration

Organizations can't bypass security in favor of speed, making SecOps a perfect complement to DevOps.

A quick search on the term DevOps shines a very telling light on where people see the value in this practice. Some proponents see DevOps as a faster path to market. Some feel that DevOps encourages faster innovation. Others suggest that entire organizations can literally move faster by virtue of using DevOps for product development. And still others who even think DevOps is TOO fast. Clearly, it's all about speed, baby.

There's nothing wrong with getting things done fast -- especially in the midst of demanding markets with brutal competition. DevOps provides fantastic results for organizations willing to build their product and IT delivery on the model. The rapid delivery of infrastructure, code, and data has powered an array of startups who are using customer feedback to propel them beyond incumbent players. Through continuous integration of systems, user experiences, and behaviors, DevOps adopters are better equipped to serve their customers and predict growing needs. As both a business and technology model, it's hard to disagree with the methodology and practice behind it.

Yet, this focus on speed has often resulted in short-shrift being given to proper security practices. For a team that's desperately trying to keep pace with new revs and beat competitors to market, the sometimes detailed work involved with security gets bypassed in favor of shortcuts and quick fixes. That unfortunately can open holes and risks that lead to major vulnerabilities.

In a 2016 study conducted by digital certificate company Venafi, 79% of CIOs surveyed indicated that they "expect the speed of DevOps to make it more difficult to know what is trusted and what is not." DevOps will continue to prevail as a development and deployment framework, but the speed metric by which it is measured must find a happy relationship with the need for the accuracy metric that dictates security.

Security and the people who manage it share some culpability in this. Most security solutions in use now were built to address an outdated model; they cater to decades-old computer architectures and are subsequently proprietary, slow, and resource-intensive. In most organizations, SecOps evolves slowly and are not prepared to address today's cloud-centric world, where security solutions must be agile, lightweight, loosely coupled, and extensible.

One way that DevOps teams can expand their purview is through the context of security. Ultimately, they need to assess all new data within the context of the controls and compliance requirements that were first introduced during initial development. These teams must evaluate their original threat model with their new environment. For organizations using the cloud, this means updating their defense strategy with the limitations and requirements needed to operate in the cloud. It also means that if they adapt both their development and security operations, they can take advantage of continuous monitoring and automated remediation.

There is some good news, however. With both DevOps and SecOps thought leaders are finding common ground through a marriage of the two and it’s driving a mindset of innovation, speed, and security. DevOps and security teams are collaborating internally rather than remaining stuck in the requestor/approver relationships. This signals an increased attention by organizations to aligning their security goals with the delivery of their products.

This new mindset really amounts to a discipline we can call DevSecOps. It is accelerating security intelligence to keep pace with continuously updated cloud environments that enable teams to detect problems faster, respond faster, and protect their resources more effectively.

We invite you to explore more with our webinar, On the Marriage of SecOps and DevOps. Learn how accelerating security intelligence to keep pace with continuously updated cloud environments enables teams to detect problems sooner, respond faster, and protect their resources more effectively.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.