DevSecOps: Security Needn’t be Sacrificed for Speed

With the right practices, security needn’t be an impediment to continuous development and rapid improvement. We sat down with DevOps.com to discuss how security can be integrated into DevOps (DevSecOps) without sacrificing rapid development and improvement inherent in DevOps environments.

With the rise of the DevOps movement, a chasm has emerged as it becomes evident that super-fast and continuous software development and deployment is marginalising “traditional” security expertise, knowledge, and best practice.

In the haste of taking advantage of the benefits of DevOps, many enterprises aren’t addressing critical security requirements, resulting in numerous issues.

  • Security not a primary concern – security not fully considered in design phases of projects, adding to additional cost and complexity later.
  • Lack of secure coding awareness or best practice – insecure coding practices leaving applications exposed to easy attack and data breaches.
  • Too much focus on availability – a single-minded focus on “uptime” that overshadows other important areas of improvement.
  • Supply chain issues in software libraries – using third-party libraries resulting in latent and widespread vulnerability exposures.
  • Misconfiguration of systems – infrastructure-as-code is very powerful, but can also amplify basic system hardening errors.

DevOps is good for making things better, faster. But there tends to be a culture clash between those talking about speed, velocity or agility and those concerned with issues such as control points.

So Goldschmidt and his colleagues are showing their clients how security can be integrated into DevOps (DevSecOps) in an automated manner without affecting velocity.

Most people with development, operations or cloud backgrounds aren’t well-versed in security, he suggests, so Sense of Security shows clients how DevSecOps means security and DevOps can run in parallel.

It’s not that complicated, but it’s something most people don’t think about. In today’s landscape, organisations need to embrace DevSecOps and begin to implement it within their organisations. For more information around securing your DevOps, visit our Security Automation for DevOps page. Sense of Security also provides a managed service around this topic. For more information visit our DevOps and SecOps as a managed security service page.