Stuck in Traffic – Priorities Undermined

Archive for November, 2017

With continuous security, Sec DevOps deconstructs CI/CD

Posted by

Nothing is set in stone when an organization follows a DevOps methodology — a DevOps security model pushes developers and ops to constantly retune, slow down and speed up.

Excerpt from: With continuous security, SecDevOps deconstructs CI/CD

“All of the DevOps teams I work with have some integration between cybersecurity and development,” said J. Wolfgang Goerlich, cybersecurity strategist at Creative Breakthroughs Inc., a Detroit-based IT security consultancy. Some organizations have embedded security architects in the DevOps teams. Others have security champions within DevOps who work directly with the cybersecurity team. “In both cases, the partnership is a means to introduce security concepts while maintaining DevOps velocity,” he said.

Goerlich said roughly one in four DevOps teams integrate and automate some level of security controls. “This integration is generally performing scans and checks against the static code, the application, and the underlying environment composition,” he said.

But this level of automation often requires tuning and adjustments to ensure it keeps pace with DevOps. For example, he said, traditional code-level scans take several days. “That’s not effective when DevOps is changing the code on a daily or even hourly basis,” Goerlich said.

Effective SecDevOps teams secure without slowing, and they add continuous security without exceeding the team’s capacity to change, he said. “It’s paradoxically fast and slow, with security controls being added slowly while tuned to execute very quickly.”

Success comes from balancing protection for the DevOps product while protecting the DevOps productivity.

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.