Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/2/2020
10:00 AM
Connect Directly
Twitter
RSS
E-Mail

6 Security Team Goals for DevSecOps in 2020

Huge opportunities await security teams that are finally ready move the needle on security problems that have plagued organizations for years.
4 of 7

Make Big Security Gains with Policy as Code 

In the DevOps world, the biggest gains have been achieved through an 'everything-as-code' approach that has made it so much easier to spin up and down reliable, repeatable infrastructure components. In the future this could be a huge boon for security and compliance purposes, but right now there's a big gap between DevOps and security teams, says Tim Hinrichs, CTO and co-founder of Styra.

'This is particularly the case when audit time rolls around; auditors often have to be manually walked through security practices in containerized environments,' he says.

Hinrichs believes that teams should be seeking to adopt policy-based controls that are manifested in a policy-as-code format to help 'eliminate manual code reviews, ease compliance efforts, and eliminate process bottlenecks.' 

Sid Phadkar, a senior product manager at Akamai, agrees that many organizations are going to be building security policies directly within code to help deal with big compliance demands set upon them by regulations like GDPR.

'There will be an uptick in DevOps tools that cater to automating more compliance-related tasks within infosec teams, thus incorporating security and compliance measures into everyday CI workflows,' Phadkar says.

This will not only be a boon for compliance but also to generally ease security automation and container orchestration, says Glen Kosaka, vice president of product at NeuVector, explaining that DevSecOps teams should be looking to set security policies for 'any and all workload deployments' through YAML files.

'Security 'policy as code' -- and, overall, easier security automation -- will change how DevSecOps teams approach container security in 2020,' Kosaka says. Expect this evolution of more efficient and automated security integration processes to be a particularly welcome change for DevOps next year.

Image Source: Adobe (joyfotoliakid)

Make Big Security Gains with Policy as Code

In the DevOps world, the biggest gains have been achieved through an "everything-as-code" approach that has made it so much easier to spin up and down reliable, repeatable infrastructure components. In the future this could be a huge boon for security and compliance purposes, but right now there's a big gap between DevOps and security teams, says Tim Hinrichs, CTO and co-founder of Styra.

"This is particularly the case when audit time rolls around; auditors often have to be manually walked through security practices in containerized environments," he says.

Hinrichs believes that teams should be seeking to adopt policy-based controls that are manifested in a policy-as-code format to help "eliminate manual code reviews, ease compliance efforts, and eliminate process bottlenecks."

Sid Phadkar, a senior product manager at Akamai, agrees that many organizations are going to be building security policies directly within code to help deal with big compliance demands set upon them by regulations like GDPR.

"There will be an uptick in DevOps tools that cater to automating more compliance-related tasks within infosec teams, thus incorporating security and compliance measures into everyday CI workflows," Phadkar says.

This will not only be a boon for compliance but also to generally ease security automation and container orchestration, says Glen Kosaka, vice president of product at NeuVector, explaining that DevSecOps teams should be looking to set security policies for "any and all workload deployments" through YAML files.

"Security 'policy as code' -- and, overall, easier security automation -- will change how DevSecOps teams approach container security in 2020," Kosaka says. Expect this evolution of more efficient and automated security integration processes to be a particularly welcome change for DevOps next year.

Image Source: Adobe (joyfotoliakid)

4 of 7
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
News
OAuth, OpenID Flaw: 7 Facts
Mathew J. Schwartz 5/8/2014
Quick Hits
Study: Many UK Retail, Financial Firms Still Don't Understand Security Risks
Tim Wilson, Editor in Chief, Dark Reading 5/8/2014
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Your new device is too complex. Me stick with iWheel.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21312
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...
CVE-2021-21313
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not proper...
CVE-2021-21314
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.
CVE-2021-27931
PUBLISHED: 2021-03-03
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
CVE-2021-27935
PUBLISHED: 2021-03-03
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.