Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/1/2017
01:00 PM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

DevOps & SecOps: The Perks of Collaboration

Organizations can't bypass security in favor of speed, making SecOps a perfect complement to DevOps.

A quick search on the term DevOps shines a very telling light on where people see the value in this practice. Some proponents see DevOps as a faster path to market. Some feel that DevOps encourages faster innovation. Others suggest that entire organizations can literally move faster by virtue of using DevOps for product development. And still others who even think DevOps is TOO fast. Clearly, it's all about speed, baby.

There's nothing wrong with getting things done fast -- especially in the midst of demanding markets with brutal competition. DevOps provides fantastic results for organizations willing to build their product and IT delivery on the model. The rapid delivery of infrastructure, code, and data has powered an array of startups who are using customer feedback to propel them beyond incumbent players. Through continuous integration of systems, user experiences, and behaviors, DevOps adopters are better equipped to serve their customers and predict growing needs. As both a business and technology model, it's hard to disagree with the methodology and practice behind it.

Yet, this focus on speed has often resulted in short-shrift being given to proper security practices. For a team that's desperately trying to keep pace with new revs and beat competitors to market, the sometimes detailed work involved with security gets bypassed in favor of shortcuts and quick fixes. That unfortunately can open holes and risks that lead to major vulnerabilities.

In a 2016 study conducted by digital certificate company Venafi, 79% of CIOs surveyed indicated that they "expect the speed of DevOps to make it more difficult to know what is trusted and what is not." DevOps will continue to prevail as a development and deployment framework, but the speed metric by which it is measured must find a happy relationship with the need for the accuracy metric that dictates security.

Security and the people who manage it share some culpability in this. Most security solutions in use now were built to address an outdated model; they cater to decades-old computer architectures and are subsequently proprietary, slow, and resource-intensive. In most organizations, SecOps evolves slowly and are not prepared to address today's cloud-centric world, where security solutions must be agile, lightweight, loosely coupled, and extensible.

One way that DevOps teams can expand their purview is through the context of security. Ultimately, they need to assess all new data within the context of the controls and compliance requirements that were first introduced during initial development. These teams must evaluate their original threat model with their new environment. For organizations using the cloud, this means updating their defense strategy with the limitations and requirements needed to operate in the cloud. It also means that if they adapt both their development and security operations, they can take advantage of continuous monitoring and automated remediation.

There is some good news, however. With both DevOps and SecOps thought leaders are finding common ground through a marriage of the two and it’s driving a mindset of innovation, speed, and security. DevOps and security teams are collaborating internally rather than remaining stuck in the requestor/approver relationships. This signals an increased attention by organizations to aligning their security goals with the delivery of their products.

This new mindset really amounts to a discipline we can call DevSecOps. It is accelerating security intelligence to keep pace with continuously updated cloud environments that enable teams to detect problems faster, respond faster, and protect their resources more effectively.

We invite you to explore more with our webinar, On the Marriage of SecOps and DevOps. Learn how accelerating security intelligence to keep pace with continuously updated cloud environments enables teams to detect problems sooner, respond faster, and protect their resources more effectively.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19551
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not b...
CVE-2019-19552
PUBLISHED: 2019-12-06
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user...
CVE-2019-19620
PUBLISHED: 2019-12-06
In SecureWorks Red Cloak Windows Agent before 2.0.7.9, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a malicious file.
CVE-2019-19625
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (which provides the tools that generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2) leaks node information due to a leaky default configuration as indicated in the policy/defaults/dds/governance.xml document.
CVE-2019-19627
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-related information regardless of the rtps_protection_kind configuration. (SROS2 provides the tools to generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2.)