Implementing SecOps Within an IT Infrastructure in Transition - Part 1
July 30, 2018

Pete Cheslock
Threat Stack

While the technologies, processes, and cultural shifts of DevOps have improved the ability of software teams to deliver reliable work rapidly and effectively, security has not been a focal point in the transformation of cloud IT infrastructure. SecOps is a methodology that seeks to address this by operationalizing and hardening security throughout the software lifecycle.

In a recent Pathfinder Report from 451 Research, Refocusing Security Operations in the Cloud Era, 36% of businesses said their top IT goal over the next year was to respond to business needs faster, while 24% said it was to cut costs. Given these goals, the need for enterprises to implement SecOps is evident.

Understanding the role of security teams in a DevOps-enabled organization requires knowledge of existing security practices. The current mindset in too many organizations is that the security department is “wholly responsible” for security. This leads to other teams assuming that they are free to pursue their own work, with “security” being someone else’s job.

This mindset leads to several issues: It encourages an adversarial relationship due to the perception that security is somehow "standing in the way." And it also places the onus of understanding the nuances of each technology on the security department. This is not scalable.

The How and Why of SecOps

SecOps is a methodology that aims to automate crucial security tasks, with the goal of developing more secure applications. The emergence of SecOps is driven in part by the transformation of enterprise infrastructure and IT delivery models as more enterprises are taking advantage of cost-effective cloud computing models and the speed and agility benefits that are gained through the cloud.

SecOps fosters a culture where security concerns neither start nor end with the security team. While a company that shares plain-text passwords will not begin using centralized access controls overnight, the process of becoming a SecOps-oriented team begins with making sure the security team is not siloed and that security concerns are not an afterthought.

SecOps is also a software development philosophy and development system. This system is much like the software development system known as DevOps, which one needs to understand in order to grasp the development side of SecOps. DevOps is the next generation of what is known as the agile software development method. Over the past decade, "agile" has been used to manage the acceleration of software versioning and improve the output of many programming teams. SecOps is built on these same principles.

Lastly, as organizations align security with DevOps, addressing the skills gap is essential. While using external resources is a popular option, 451's research found that the top choice for dealing with this issue among enterprises is to "train existing staff to learn new skills." SecOps is a great way for an organization to optimize their workforce by developing in-house resources.

Read Implementing SecOps Within an IT Infrastructure in Transition - Part 2, including SecOps Pitfalls and Best Practices.

Pete Cheslock is Sr. Director, Ops & Support, at Threat Stack

The Latest

September 20, 2018

The latest Accelerate State of DevOps Report from DORA focuses on the importance of the database and shows that integrating it into DevOps avoids time-consuming, unprofitable delays that can derail the benefits DevOps otherwise brings. It highlights four key practices that are essential to successful database DevOps ...

September 18, 2018

To celebrate IT Professionals Day 2018 (this year on September 18), the SolarWinds IT Pro Day 2018: A World Powered by Tech Pros survey explores a "Tech PROactive" world where technology professionals have the time, resources, and ability to use their technology prowess to do absolutely anything ...

September 17, 2018

The role of DevOps in capitalizing on the benefits of hybrid cloud has become increasingly important, with developers and IT operations now working together closer than ever to continuously plan, develop, deliver, integrate, test, and deploy new applications and services in the hybrid cloud ...

September 13, 2018

"Our research provides compelling evidence that smart investments in technology, process, and culture drive profit, quality, and customer outcomes that are important for organizations to stay competitive and relevant -- both today and as we look to the future," said Dr. Nicole Forsgren, co-founder and CEO of DevOps Research and Assessment (DORA), referring to the organization's latest report Accelerate: State of DevOps 2018: Strategies for a New Economy ...

September 12, 2018

This next blog examines the security component of step four of the Twelve-Factor methodology — backing services. Here follows some actionable advice from the WhiteHat Security Addendum Checklist, which developers and ops engineers can follow during the SaaS build and operations stages ...

September 10, 2018

When thinking about security automation, a common concern from security teams is that they don't have the coding capabilities needed to create, implement, and maintain it. So, what are teams to do when internal resources are tight and there isn't budget to hire an outside consultant or "unicorn?" ...

September 06, 2018

In evaluating 316 million incidents, it is clear that attacks against the application are growing in volume and sophistication, and as such, continue to be a major threat to business, according to Security Report for Web Applications (Q2 2018) from tCell ...

September 04, 2018

There's a welcome insight in the 2018 Accelerate State of DevOps Report from DORA, because for the first time it calls out database development as a key technical practice which can drive high performance in DevOps ...

August 29, 2018

While everyone is convinced about the benefits of containers, to really know if you're making progress, you need to measure container performance using KPIs.These KPIs should shed light on how a DevOps team is faring in terms of important parameters like speed, quality, availability, and efficiency. Let's look at the specific KPIs to track for each of these broad categories ...

August 27, 2018

Protego Labs recently discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered "serious" ...

Share this