Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/1/2017
01:00 PM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

DevOps & SecOps: The Perks of Collaboration

Organizations can't bypass security in favor of speed, making SecOps a perfect complement to DevOps.

A quick search on the term DevOps shines a very telling light on where people see the value in this practice. Some proponents see DevOps as a faster path to market. Some feel that DevOps encourages faster innovation. Others suggest that entire organizations can literally move faster by virtue of using DevOps for product development. And still others who even think DevOps is TOO fast. Clearly, it's all about speed, baby.

There's nothing wrong with getting things done fast -- especially in the midst of demanding markets with brutal competition. DevOps provides fantastic results for organizations willing to build their product and IT delivery on the model. The rapid delivery of infrastructure, code, and data has powered an array of startups who are using customer feedback to propel them beyond incumbent players. Through continuous integration of systems, user experiences, and behaviors, DevOps adopters are better equipped to serve their customers and predict growing needs. As both a business and technology model, it's hard to disagree with the methodology and practice behind it.

Yet, this focus on speed has often resulted in short-shrift being given to proper security practices. For a team that's desperately trying to keep pace with new revs and beat competitors to market, the sometimes detailed work involved with security gets bypassed in favor of shortcuts and quick fixes. That unfortunately can open holes and risks that lead to major vulnerabilities.

In a 2016 study conducted by digital certificate company Venafi, 79% of CIOs surveyed indicated that they "expect the speed of DevOps to make it more difficult to know what is trusted and what is not." DevOps will continue to prevail as a development and deployment framework, but the speed metric by which it is measured must find a happy relationship with the need for the accuracy metric that dictates security.

Security and the people who manage it share some culpability in this. Most security solutions in use now were built to address an outdated model; they cater to decades-old computer architectures and are subsequently proprietary, slow, and resource-intensive. In most organizations, SecOps evolves slowly and are not prepared to address today's cloud-centric world, where security solutions must be agile, lightweight, loosely coupled, and extensible.

One way that DevOps teams can expand their purview is through the context of security. Ultimately, they need to assess all new data within the context of the controls and compliance requirements that were first introduced during initial development. These teams must evaluate their original threat model with their new environment. For organizations using the cloud, this means updating their defense strategy with the limitations and requirements needed to operate in the cloud. It also means that if they adapt both their development and security operations, they can take advantage of continuous monitoring and automated remediation.

There is some good news, however. With both DevOps and SecOps thought leaders are finding common ground through a marriage of the two and it’s driving a mindset of innovation, speed, and security. DevOps and security teams are collaborating internally rather than remaining stuck in the requestor/approver relationships. This signals an increased attention by organizations to aligning their security goals with the delivery of their products.

This new mindset really amounts to a discipline we can call DevSecOps. It is accelerating security intelligence to keep pace with continuously updated cloud environments that enable teams to detect problems faster, respond faster, and protect their resources more effectively.

We invite you to explore more with our webinar, On the Marriage of SecOps and DevOps. Learn how accelerating security intelligence to keep pace with continuously updated cloud environments enables teams to detect problems sooner, respond faster, and protect their resources more effectively.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.