Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Lamont Orange
Lamont Orange
Connect Directly
E-Mail vvv

DevSecOps: The Answer to the Cloud Security Skills Gap

There's a skills and resources gap industrywide, but a DevSecOps approach can go a long way toward closing that gap.

Digital transformation is driving change in every corner of the security industry. Organizations are evolving and expanding into the cloud rapidly, but their security teams and legacy data centers are holding them back. A skills and resources gap exists industrywide, but implementing a DevSecOps approach is key toward bridging that gap. 

DevSecOps, an inherently agile and nimble approach to security, is well suited for a more cloud-enabled future. Bringing together formerly isolated teams under one function allows security to be built in throughout the development process, also known as security by design, meaning that security can be more than an afterthought at the beginning and the end. 

But DevSecOps only works if organizations are willing to give their teams the resources and tools to successfully bridge those skill and resource gaps. Before you change your direction, you first need to address the issues with your current posture, understand the capacity of your current security teams, and find a guiding principle to drive your development. Here's where to start.

New Solution, Same Old Mistakes
Faced with the evolving threats brought on by digital transformation, organizations need to be aware of their existing postures and shortcomings in protecting their data.

This means asking questions about how you can improve your security posture in the cloud and rethink your best practices, finding the elements that are most germane to your organization. Instead of using the monolithic code that lived inside your data center, you have to architect your infrastructure from the beginning to continuously monitor based around these principles.

Because of digital transformation, your security posture will change and your best practices will need to be tweaked. Having a DevOps team that is questioning the past, and improving your security posture throughout this iterative transformation will pay off as your organization continues to scale.

Cloud-enabled security is meant to be iterative. It's a foregone conclusion that you're going to have incidents, but a DevSecOps team that is constantly iterating can catch them faster and fix issues as they come up. The security exists throughout the process, not just at the endpoints. This is the goal.

After solving this problem, you then need to make sure you have the right team for the job.

Mind the Skills Gap
I've talked with many organizations that tell me they've been doing DevOps for a long time, but that's often not entirely true. Sure, they have people monitoring their data centers, making sure the lights on the boxes are still blinking, but they aren't actually digitally transforming that team. As security moves into the cloud, that team is going to be responsible for rebuilding that infrastructure in the cloud, and if security isn't a part of the conversations around this infrastructure, organizations are missing a huge opportunity.

When organizations decide they want to do DevSecOps, they turn to a team, be it development, operations, or security, and tell them they need to get on board with transforming, often without the proper skills, resources, or guidelines. You need to know your DevOps teams' comfort level with security, and around digital transformation. For example, if they don't know about serverless infrastructure, beyond the obvious, then you're in for trouble.

Expecting a team to exclusively learn on the fly is basing a strategy on hope, which is always doomed to fail. Instead, take your spare moments and offer your DevSecOps team opportunities to learn from their blind spots, whether with additional certifications or shadowing. It doesn't have to be perfect, but every bit helps. This way, they are constantly getting better and modernizing, improving themselves as they improve your security infrastructure. 

Find the North Star 
DevSecOps can only help solve for issues if you have a guiding principle, or north star, for what you're trying to accomplish.  Doing this means making sure you know how you're implementing and improving your security posture in the cloud.

It's important to factor in security as you go, and embody visibility and contextual application of controls. For a long time, security teams pushed for access within the enterprise perimeter, but the transition to cloud computing is making all of that access obsolete, clouding their visibility and the effectiveness of how perceived controls will work in the cloud.

DevSecOps is all about consolidating teams to pool resources, better leverage skills, and realize unified goals and perspectives, which are key. And as I noted earlier, this doesn't have to be perfect.  Success with DevSecOps comes with being cloud curious and learning what matters most to your organization. This is an opportunity to take a modernized security stack to the cloud, in addition to business innovation. It's a fresh start to security, forecasting increased visibility and contextual controls applied at scale, all while supporting the agility of the business, all of which makes for a well-defined transformation. The lessons learned are:

  • If you're not transforming your security teams and capabilities, you're falling behind.
  • If you're resting on your existing security capabilities, you're going blind.
  • Context is key, resistance to change is not innovative, and most of your traffic is traversing the Web.

You're going to have bumps along the way, and have to iterate, but each iteration will make your DevSecOps team learn and better prepared for whatever the next threat presents.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "8 Backup & Recovery Questions to Ask Yourself."

Lamont Orange has more than 20 years of experience in the information security industry, having previously served as vice president of enterprise security for Charter Communications (now Spectrum) and as senior manager for the security and technology services practice at ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
11/22/2019 | 4:02:37 PM
Completely agree!
Lamont -- Great article and I couldn't agree more--DevSecOps goes a long way towards helping with the crushing skills gap. As you said "... DevSecOps only works if organizations are willing to give their teams the resources and tools to successfully bridge those skill and resource gaps." In speaking with organizations, we see that many of them today have between 12 and 15 application security and testing tools in use. And each tool often requires its own separate team for management. This obviously exacerbates constrained resources, and this is where we've seen the benefits of orchestration come in. By eliminating the need to manually evaluate, deploy and manage all of these scanning and testing tools, lean security teams can refocus their effort and skills on projects more critical to the business. In many organizations, we've seen this shift have residual benefits such as empowering a more satisfied, productive workforce and reducing employee churn. Lamont, let me know if you would like to connect live to discuss this further. John Worrall, ZeroNorth
User Rank: Author
11/17/2019 | 3:32:40 AM
Interesting article
Interesting article
User Rank: Apprentice
11/17/2019 | 12:24:16 AM
thank pro
thank so much
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...