SDxCentral
Join Log In
SD-WAN 5G Edge 1 IoT SDN NFV Containers Cloud Security AI Data Center Storage APM/NPM Open Source

Log In to SDxCentral

Log in with your email? Forgot your password?
  • Newsletters
  • eBriefs
  • Podcasts
  • Webinars
  • Videos
  • Directory
  • White Papers
  • Resources
  • Use Cases
  • Support

Join SDxCentral and get information tailored to your particular interests everyday.

Join
Sponsored:
Dell EMC Citrix Riverbed

Is DevSecOps the Answer to Securing the Hybrid Cloud?

Is DevSecOps the Answer to Securing the Hybrid Cloud?
Jessica Lyons Hardcastle
Jessica Lyons HardcastleJune 25, 2018
10:42 am MT
Email LinkedIn Facebook Twitter Reddit Hacker News

“Shifting security left” in the development process and “baked in, not bolted-on security” were commonly repeated phrases at the RSA Conference earlier this year — and in just about every security-related discussion before and since the annual cybersecurity event.

The phrases came up again at CA Technologies’ summit earlier this month with the vendor’s customer, Cardinal Health, a health care services company based in Dublin, Ohio. The company manufactures pharmaceuticals and medical products.

Scott Bellamy, a senior application security architect at Cardinal Health, used both phrases. “We can’t be thinking of security as an after-the-fact,” he said on a panel discussion. “One of our key tenants is moving security left in the development process — shifting left. We have to get to the point where we’re talking about building security in and having developers write secure code rather than writing code with vulnerabilities and dealing with that later.”

One way to do this is through DevSecOps, or automating core security tasks by embedding security controls and processes into DevOps. In other words, baking security into the code.

As companies rapidly adopt hybrid clouds and DevOps models, integrating security from the start solves a couple of problems.

“The overarching problem is the need for greater operational efficiencies when it comes to cybersecurity,” said Doug Cahill, a senior analyst at Enterprise Strategy Group (ESG). Companies have increasingly complex IT environments spanning on-premises data centers and multiple clouds. And they don’t have enough resources to secure these environments.

“The other problem is how to inject cybersecurity into modern IT management,” Cahill said. “At its core, DevOps is a cultural shift to get the development team and operations team collaborating.” One of the ways this model manifests is continuous integration and continuous delivery (CI/CD).

“CI/CD is just that — continuous — and from a security perspective, that can be quite disconcerting,” Cahill said, adding that a security professional told him DevOps was like running with scissors: “Bad things happen when you go fast.”

DevSecOps Challenges

ESG research found 15 percent of organizations are “extensively” automating security via DevSecOps, and 19 percent say they have incorporated some level of security into the DevOps process. Another 41 percent are evaluating DevSecOps, signaling stronger adoption in the future.

“If you are a security professional and you hear this term [DevSecOps], you may think it’s just marketing,” Cahill said. “But when you talk about what’s behind the term, it’s hard not to be in heated agreement to the value of integrating security processes and tools into your test and development environment and finally your production environment.”

Still, he added, “It’s not always clear where to start.”

An April report by 451 Research, commissioned by Synopsys, found that only half of CI/CD workflows include application security testing elements despite respondents citing awareness of the importance and advantages of doing so.

Organizations cited a lack of automation and consistency, reduced speed, and the noise of false positives as the primary challenges of DevSecOps. At the same time, respondents also said the use of automated tools integrated early in the software development life cycle can have a positive impact on both the speed and the overall quality and security of software.

“We’re seeing that this emphasis on security is shifting toward the left side of the DevOps pipeline,” said 451 Research analyst Scott Crawford. “We do see developers embracing security, but it is a gradual thing. One thing development teams can’t tolerate: you can’t slow these processes down. Business insists on having features and functions that are competitive in the market, or they will lose their competitive edge.”

‘Security Needs to Delegate’

By its very nature, the DevOps model fuses development and operations resources within small teams and gives the teams ownership of the software they create, added 451 Research analyst Fernando Montenegro, who, for the record doesn’t like the term “DevSecOps.” He says “it makes security stand out as a different stakeholder. Security should be embedded in both Dev and Ops. Security in DevOps or just DevOps.”

As companies move to DevOps — and the shortage of skilled security professionals increases — security can no longer be a centralized function, Montenegro said. It has to be embedded in multiple teams by using automated tools and incorporating things like software composition analysis into CI/CD workflows.

“Security is still trying to do too much itself,” he said. “Security needs to delegate more to other divisions. The role for security becomes more enabling, help educate that team, by all means monitor it from afar, but don’t become a roadblock.”

DevSecOps Use Cases

It can be difficult for companies to know where to start, however. Cahill suggests focusing on use cases by environment: test, development, and production.

In development, focus on eliminating security vulnerabilities introduced by developers. “Make sure your developers are writing good, secure code,” Cahill said. “The more you do things right the first time the better it is because rework always costs you more.”

In the testing environment, check for any known software vulnerabilities up an down the stack. “In test, we’ve basically hardened configuration,” Cahill said. “And in production, we can automatically apply security controls that will monitor workloads.”

This includes tools like host-based intrusion detection system, which monitors and analyzes the computing system and network packets, as well as anomaly detection.

“When people say shift left, they mean all the way to development,” he said. “My point is yes, absolutely shift left, but then go right. Yes, do it in dev but also in test and production.”

Related Articles

Cumulus and Nutanix Integrate HCI, Open Networking
Cumulus and Nutanix Integrate HCI, Open Networking
Enterprises-Spent-125-Billion-on-IT-Infrastructure-in-2018-Says-Synergy-Research
Enterprises Spent $125B on IT Infrastructure in 2018, Says Synergy Research
Concensus and AMD Build Blockchain-Based Cloud Infrastructure
Consensys and AMD Build Blockchain-Based Cloud Infrastructure
Composable Infrastructure Players to Watch in 2019
Composable Infrastructure Players to Watch in 2019
VMware Helps Make a Wish Bring Joy to Kids
VMware Helps Make-a-Wish Foundation Save Millions on IT
Pivot3 Adds Encryption, Key Management to HCI Stack
Pivot3 Adds Encryption, Key Management to HCI Stack
SDxCentral Daily News

Join your Peers! Subscribe to SDxCentral's Newsletter

Article Tags:

451 Research Breaking News CA Technologies Cloud Data Center DevOps ESG Security Synopsys

Jessica Lyons Hardcastle

About Jessica Lyons Hardcastle

Jessica is a Senior Editor, covering next-generation data centers, security, and software-defined storage at SDxCentral. She has worked as an editor and reporter for more than 15 years at a number of B2B publications including Environmental Leader, Energy Manager Today, Solar Novus Today and Silicon Valley Business Journal. Jessica is based in the Silicon Valley.

Have a story? Have a News Tip?

Send it to SDxCentral editors as editors@sdxcentral.com.

Subscribe to Get the Daily News!

About SDxCentral

  • Newsletters
  • About Us
  • Contact Us
  • Work With Us
  • Editorial Team
  • Careers
  • Legal
  • Support

Engage With us

This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDxCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.

© 2012-2019 SDxCentral, LLC, All Rights Reserved. SDNCentral™, the SDNCentral logo, SDxCentral™, SDxCentral logo, SDxNews™, SDxTech™, SDx™, the SDx logo, and DemoFriday™ are trademarks of SDxCentral, LLC in the U.S. and other countries.

  • Terms of Service
  • Privacy