Put more 'Sec' in your DevSecOps – TechBeacon

Get up to speed fast on the techniques behind successful enterprise application development, QA testing and software delivery from leading practitioners.
Shift your UI testing to sprint zero by leveraging mockups and AI
Fast fixes for slow tests: How to unclog your CI pipeline
8+ programming languages that will keep you in demand
Here’s the right way to test links in your web apps
Microservices and COBOL: 4 steps to modernize your apps for DevOps
Trends and best practices for provisioning, deploying, monitoring and managing enterprise IT systems. Understand challenges and best practices for ITOM, hybrid IT, ITSM and more.
Why most machine learning projects stumble
Digital transformation fails: Are you automating the wrong processes?
Why ITSM is key to your digital transformation
3 container orchestration challenges to tackle head on
5 principles for your cloud-oriented open-source strategy
All things security for software engineering, DevOps, and IT Ops teams. Stay out front on application security, information security and data security.
Put more ‘Sec’ in your DevSecOps
Rethink your DevSecOps: 4 key lessons for achieving security as code
Economics meets cybersecurity: A light at the end of the tunnel?
BSIMM12 is here: 9 key takeaways for software security teams
The shift from DevOps and security to DevSecOps: 5 key roadblocks
TechBeacon Guides are collections of stories on topics relevant to technology practitioners.
TechBeacon Guide: DevSecOps and Security as Code
TechBeacon Guide: SecOps Tooling
TechBeacon Guide: World Quality Report 2021-22
TechBeacon Guide: The State of SecOps 2021
TechBeacon Guide: Application Security Testing
Discover and register for the best 2021 tech conferences and webinars for app dev & testing, DevOps, enterprise IT and security.
Webinar: Maximizing Your IT Assets
Webinar: Get a Fast Pass to Full-Stack AIOps
Webinar: Access Mainframes Securely from the Cloud
Webinar: Best Practices to Protect Data in the Cloud
Webinar: Threat Hunting—Stories from the Trenches
It wasn’t so long ago that the DevOps and cloud deployment models first appeared. Since then, they have raised many questions and challenges for enterprise DevOps, particularly in security.
One challenge is to bring DevOps and security together, as DevSecOps. DevSecOps seeks to make security part of the software development lifecycle so that it’s not just an afterthought, making it a critical component of what the modern information security professional needs to succeed.
At its core, DevOps is the practice of reacting quickly to the business’s changing requirements, expectations, and environment. As business expectations change, so must the code that runs and protects the business. Being able to anticipate the business’s requirements and proactively patch or upgrade is crucial for running applications across clouds.
So how do you ensure that developers are delivering secure code to production? DevSecOps requires a new security-centered mindset for developers, who then need the means for securing the software in production.
Here are some of the new security practices my team has seen that will help the progression of DevSecOps.
All developers should understand the importance of security in the code they write. Secure code enhances the value of software, and developers need to understand that poor security practices have harmful consequences. The continuous delivery of secure code involves using security tools, services, and platforms to identify vulnerabilities while still moving the software at the speed of business. The focus shifts security left toward the development phase.
Nonetheless, the development and delivery of secure code must continue throughout the lifecycle of applications. For example, it is critical to have security controls built into the new software for data in transit, device management, user authentication, and access control. And cloud and containers, both of which have become critical elements of the DevOps model, have their security considerations that must be fully understood.
Whenever possible, development teams should work with the release engineering team to establish an automated process for responsible software releases, meaning each release is automatically evaluated for its security posture.
Deployment is best done at scale, using a centralized policy engine managed by the DevOps organization for on-premises and cloud deployments.
You also need to figure out your DevSecOps strategy and how it affects your engineering, operations, and customer security. You need to identify the security risks you are facing and how you can prevent them. It would help if you created a platform-based security strategy to keep up with evolving security trends. Your platform-based security strategy must be agnostic to the application stack you’re using and platform-agnostic to the endpoint you are securing.
It would be best if you prevented attackers from leaving the network and continuing their activities elsewhere, often by tracking them through a global threat intelligence network. You need to know about their targets and infrastructure and prevent them from doing it again. If you fail to do so, they may gain a foothold in your infrastructure and scale up their activities as they find them to be an attractive target.
Your infrastructure, application services, and network security need to be cloud-native, DevOps-enabled, and software-defined to improve scalability and flexibility and speed up your DevOps transformation. You need to make these elements part of your security strategy and implementation, and you need to get involved in the DevOps community to collaborate and share knowledge. You must also ensure the maturity of your DevOps and cloud deployment model and share experiences across the entire development, testing, and deployment lifecycle.
You must also communicate DevSecOps, CompSecOps, and CloudSecOps to your development, operations, and security teams to ensure everyone understands the context of your strategy and your existing agile release management practices.
In addition to being aware of all these issues, it is imperative to review all of the security processes that companies are using. This may include reviewing and auditing existing systems or reviewing existing infrastructure and remediating any problems.
Without a goal in mind, you should not expect these changes to happen quickly. Nevertheless, as the DevSecOps movement gains traction, we will see continued progress.
Learn from your SecOps peers with TechBeacon’s State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon’s Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon’s Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon’s Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon’s Guide to a Modern Security Operations Center.
Get the best of TechBeacon, from App Dev & Testing to Security, delivered weekly.

Brought to you by

I’d like to receive emails from TechBeacon and Micro Focus to stay up-to-date on products, services, education, research, news, events, and promotions.
Check your email for the latest from TechBeacon.