Ivanti Insights Episode 5: From DevOps to DevSecOps and the Game of Security Whack-a-Mole
In this month’s Ivanti Insights episode, I spoke with Chris Goettl, Sr. Director of Product Management and a first-time guest, Bart Westerink, Vice President of Security Engineering at Ivanti. Our conversation focused on how organizations can design Development Operations (DevOps) processes and systems to thwart cyberattacks. Buckle up!
Don’t Go Chasing Waterfalls
Let’s dive into what DevOps is but before we dive in, we may want to look from the shoreline. DevOps is the journey brought about by combining practices and tools of developer and operation teams to increase an organization’s ability to deliver applications and services faster than traditional software development models. Traditional processes, known as the waterfall approach, required very long cycles upfront and resulted in a slow and tedious process. When a team finally did release a solution, the market changed, changing requirements as well.
Then came agile development models to help the process move faster, try to fail early and figure out what needs to be changed and adapted to release a solution closer to what the market needs. DevOps evolves the agile development life cycle by bridging the gap between developers and operations. The goal is to bring operational excellence by breaking down silos and operating as one.
Let’s make the DevOps conversation more interesting:
Development + Security + Operations = DevSecOps
A Matter of Culture: From DevOps to DevSecOps
Some companies are missing the middle piece of the above equation, and it shows. We must remember, if we are not thinking about DevOps as a security process from the beginning, we will forget about the things that make the overall process secure.
Bart offered his insight on this. Organizations need to implement a secure development life cycle, a set of activities to produce more secure code and applications.
But how?
- Security Frameworks: There’s a number of frameworks organizations can look to. One example is The Building Security In Maturity Model, aka BSIMM, which lists out roughly 120 security best practices like security testing automation through static and dynamic analysis.
- Security Gates: Security teams are outnumbered by developers at a ratio of one hundred to one. Gates allow for a release to be blocked until engineering and security agree on what level of severity bugs will break the build.
- Security Code Training: Provide your developers with a secure coding guide and security awareness training on a regular basis.
Some other topics I discussed with Chris and Bart:
- What about third-party libraries? What can organizations do to avoid becoming the next big news cyberattack headline?
- The Equifax example.
- Diving into the code itself and what organizations can do to respond to vulnerabilities.
- Security as the game of whack-a-mole and key takeaways on overall security environments and systems in contact with the build process.
Find out all this and more in the full episode below.
Stay safe, be secure, and keep smiling,
Adrian