Rawpixel - Fotolia
Ideal DevSecOps strategy requires the right staff and tools
Sometimes viewed as an obstacle to speedy software rollout, the DevSecOps model helps security teams drive innovation in development. Learn how to build a DevSecOps strategy.
Security professionals often experience some pushback to their role in the application development rollout process. But the idea that security has no place in the development world has been debunked by the introduction of the DevSecOps model -- an approach that combines security, IT operations and developers and one where everyone is responsible for security.
A successful DevSecOps strategy is more than the sum of its parts. To best embed security into app dev projects, it's important that organizations incorporate the right people with the right processes. Compiled here are three essential articles for DevSecOps newcomers, with advice from the experts on designing a DevSecOps strategy and protecting business assets in the modern threat landscape.
Designing a DevSecOps strategy for cloud
To maintain an ideal security posture, today's enterprises would be wise to focus on three aspects when deploying a DevSecOps strategy. That is according to author Julien Vehent, whose recent book outlines in detail how to implement a solid security baseline in the cloud and instructs security professionals on how to effectively assess risk, as well as monitor and respond to cyberthreats.
To the benefit of security leaders with staff or budget limitations, Vehent acknowledged covering every angle of cybersecurity in modern, complex organizations is no easy task. He knows security leaders must prioritize some measures over others and outlined instructions on how to do just that. It is essential organizations ensure their approach to monitoring and responding to security events reflects today's changing and sophisticated threat landscape.
Discover how a logging pipeline can help a modern security program establish a single tunnel where anomaly detection is enabled in Chapter 1 of Vehent's book, Securing DevOps: Security in the Cloud.
Top qualifications for DevSecOps engineers
To implement a successful DevSecOps strategy, organizations require qualified engineers with the skills and experience necessary to build security into the app dev process. First and foremost, engineers must understand the importance of working in larger groups. They must also be able to communicate their technical knowledge to an audience of business executives who may not possess the same grasp of technical jargon -- or even basic security principles.
While some skills can be acquired on the job, ideal DevSecOps engineers will possess concrete qualifications beforehand. These include a thorough understanding of popular programming languages and cloud service providers, depending on the tools and platforms used by their organization. These qualifications, as well as a commitment to be involved in every step of the app dev process, is critical.
Learn more about the non-negotiable skills engineers require to help their organization implement a fruitful DevSecOps strategy.
Lessons on embedding security into DevOps from DevSecOps veterans
When organizations make steps toward creating or maintaining a DevSecOps strategy, it would be wise to take advantage of professionals with experience in the same line of work.
Experts agree that the first step to building security into the app dev process is to never settle for an ineffective infosec team hierarchy. Ideally, this includes embedding engineers into DevOps teams. Additionally, a successful workflow includes a pipeline for engineers -- as well as security members of the DevOps team -- to report to a centralized security department.
Organizations should also look to DevSecOps veterans for advice on what not to do. Panelists at DevSecCon with years of experience -- including security leaders from Dropbox and Mozilla -- explained what mistakes to avoid when implementing DevSecOps principles in the enterprise.
Learn how the distinct responsibilities of security, IT ops and development teams -- from code analysis to configuration management -- fit together in a DevSecOps model