Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/1/2017
01:00 PM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

DevOps & SecOps: The Perks of Collaboration

Organizations can't bypass security in favor of speed, making SecOps a perfect complement to DevOps.

A quick search on the term DevOps shines a very telling light on where people see the value in this practice. Some proponents see DevOps as a faster path to market. Some feel that DevOps encourages faster innovation. Others suggest that entire organizations can literally move faster by virtue of using DevOps for product development. And still others who even think DevOps is TOO fast. Clearly, it's all about speed, baby.

There's nothing wrong with getting things done fast -- especially in the midst of demanding markets with brutal competition. DevOps provides fantastic results for organizations willing to build their product and IT delivery on the model. The rapid delivery of infrastructure, code, and data has powered an array of startups who are using customer feedback to propel them beyond incumbent players. Through continuous integration of systems, user experiences, and behaviors, DevOps adopters are better equipped to serve their customers and predict growing needs. As both a business and technology model, it's hard to disagree with the methodology and practice behind it.

Yet, this focus on speed has often resulted in short-shrift being given to proper security practices. For a team that's desperately trying to keep pace with new revs and beat competitors to market, the sometimes detailed work involved with security gets bypassed in favor of shortcuts and quick fixes. That unfortunately can open holes and risks that lead to major vulnerabilities.

In a 2016 study conducted by digital certificate company Venafi, 79% of CIOs surveyed indicated that they "expect the speed of DevOps to make it more difficult to know what is trusted and what is not." DevOps will continue to prevail as a development and deployment framework, but the speed metric by which it is measured must find a happy relationship with the need for the accuracy metric that dictates security.

Security and the people who manage it share some culpability in this. Most security solutions in use now were built to address an outdated model; they cater to decades-old computer architectures and are subsequently proprietary, slow, and resource-intensive. In most organizations, SecOps evolves slowly and are not prepared to address today's cloud-centric world, where security solutions must be agile, lightweight, loosely coupled, and extensible.

One way that DevOps teams can expand their purview is through the context of security. Ultimately, they need to assess all new data within the context of the controls and compliance requirements that were first introduced during initial development. These teams must evaluate their original threat model with their new environment. For organizations using the cloud, this means updating their defense strategy with the limitations and requirements needed to operate in the cloud. It also means that if they adapt both their development and security operations, they can take advantage of continuous monitoring and automated remediation.

There is some good news, however. With both DevOps and SecOps thought leaders are finding common ground through a marriage of the two and it’s driving a mindset of innovation, speed, and security. DevOps and security teams are collaborating internally rather than remaining stuck in the requestor/approver relationships. This signals an increased attention by organizations to aligning their security goals with the delivery of their products.

This new mindset really amounts to a discipline we can call DevSecOps. It is accelerating security intelligence to keep pace with continuously updated cloud environments that enable teams to detect problems faster, respond faster, and protect their resources more effectively.

We invite you to explore more with our webinar, On the Marriage of SecOps and DevOps. Learn how accelerating security intelligence to keep pace with continuously updated cloud environments enables teams to detect problems sooner, respond faster, and protect their resources more effectively.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9274
PUBLISHED: 2018-11-15
HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.
CVE-2018-19286
PUBLISHED: 2018-11-15
The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note.
CVE-2018-19287
PUBLISHED: 2018-11-15
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
CVE-2018-19288
PUBLISHED: 2018-11-15
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
CVE-2018-19289
PUBLISHED: 2018-11-15
An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file.