DevSecOps is critical to an organization’s cybersecurity structure, as those with strong DeSecOps implementations discover flaws 11x faster than those without, research shows. The rise in cloud computing brings a bevy of new threat vectors, especially those associated with configuration and authentication, according to the Cloud Security Alliance’s (CSA) Top Threats to Cloud Computing: The Egregious Eleven report, released on Wednesday.
The report found many traditional vulnerabilities including denial of service, data loss, and more, to be more common in the past than today, with data breaches and a lack of cloud security architecture rising to the top of the greatest risks for businesses. These new, more complicated threats call for strong DevSecOps practices, which are typically added on later as an afterthought, according to CSA’s Six Pillars of DecSecOps report, also released Wednesday.
SEE: Implementing DevOps: A guide for IT pros (free PDF) (TechRepublic)
“The security risks inherent in today’s intricate interactions between multiple technology layers, coupled with the globally interconnected and always-on nature of today’s applications, have been compounded by vulnerabilities lying dormant in systems, software, and hardware. The result is a field ripe for picking by malicious parties across the world,” John Yeoh, vice president of research for CSA, said in a press release. “This report should serve as a springboard for organizations wanting to address the challenges of today’s interconnected, rapidly changing security environment with increasingly shortened infrastructure and product life cycles.”
The report outlined the following six necessary components of a successful DevSecOps deployment within an organization, protecting the organization’s infrastructure and elongating its software lifecycle.
1. Collective responsibility: Everyone has their own security responsibility and must be aware of their own contribution to the organization’s security stance. Edge users and developers are not just “security aware” but are the first line of defense.
2. Collaboration and integration: A security-aware and collaborative culture is necessary for the members of all functional teams to report potential anomalies.
3. Pragmatic implementation: Taking a framework-agnostic, digital security and privacy model that focuses on application development will allow organizations to approach security in DevOps pragmatically.
4. Bridging compliance and development: The key to addressing the gap between compliance and development is to translate applicable controls to appropriate software measures and identifying inflection points within the software lifecycle where these controls can be automated and measured.
5. Automation: Software quality can be enhanced by improving the thoroughness, timeliness and frequency of testing/feedback. Processes that can be automated should be, and those that can’t should be considered for elimination.
6. Measure, monitor, report and action: For DevSecOps to succeed, software development and post-delivery results must be continuously measured, monitored, reported and acted upon by the right people at the right time.
For more, check out Why half of enterprises struggle to keep pace with cloud security on TechRepublic.
- Hybrid cloud: A cheat sheet (TechRepublic)
- Hybrid cloud: A guide for IT pros (TechRepublic download)
- Serverless computing: A guide for IT leaders (TechRepublic Premium)
- Top cloud providers 2019: AWS, Microsoft, Azure, Google Cloud; IBM makes hybrid move; Salesforce dominates SaaS (ZDNet)
- Best cloud services for small businesses (CNET)
- Microsoft Office vs Google Docs Suite vs LibreOffice (Download.com)
- Cloud computing: More must-read coverage (TechRepublic on Flipboard)