SmartBear announced its acquisition of QMetry, provider of an AI-enabled digital quality platform designed to scale software quality.
DevSecOps Made Simple: 6 Strategies
June 11, 2024
Long gone are the days when security is merely an afterthought in the DevOps process. Instead, recognizing that vulnerabilities can be inadvertently introduced during development, the issue of security has moved front and center, becoming an integral part of the development lifecycle rather than something to be bolted on at the end.
To help organizations navigate the myriad issues and challenges that arise when embedding security into the DevOps process and provide a path to success, the Cloud Security Alliance (CSA), together with Software Assurance Forum for Excellence in Code (SAFECode), drafted a series of white papers based on six critical pillars described in CSA's Reflexive Security Framework. Each paper tackles a different aspect of implementation and empowers readers with actionable security resources and guidance.
Overview: Six Pillars of DevSecOps provides an overview of DevSecOps — what it is and why it's important — and defines the six focus areas that are considered to be critical in its implementation and integration into an organization. Together, these pillars provide a holistic framework, blending traditionally siloed operations — development, infrastructure operations, and information security — into a cohesive group that facilitates creation of secure software. This is a go-to document for anyone looking to get buy-in from stakeholders.
Pillar 1: Collective Responsibility
Pillar 1: Collective Responsibility describes the common practices shared by organizations that have taken a program-level approach to security culture development. Broken into three key areas: 1) executive support and engagement, 2) program design and implementation, 3) program sustainment and measurement, the paper suggests how to best garner (and keep) executive support and engagement while building an inclusive cultural program based on cumulative experience. The paper also touches upon how to leverage security champions to create deep engagement and using metrics to sustain, build, and help evolve the program. (Those looking for a deeper understanding should consider the DevSecOps: Collective Responsibility self-paced course.)
Pillar 2: Collaboration and Integration
Pillar 2: Collaboration and Integration addresses the importance of integrating DevSecOps into organizational processes and stresses the key role that fostering a sense of collaboration plays in its successful implementation. Notably, the paper also dives into the convergence between DevSecOps and various technology areas, providing an overview of how DevSecOps can be leveraged for Zero Trust and MLSecOps, and AIOps. Among the topics covered:
■ Overarching principles for successful collaboration in DevSecOps
■ Role-based security training programs, including details on implementing a continuous, role-based security training program at an organization
■ How various organizational roles can and should join forces in an end-to-end DevSecOps delivery pipeline
■ Role-based communication requirements to integrating a new acquisition into an organization's existing DevSecOps processes
■ Crafting a winning DevSecOps culture
Pillar 3: Pragmatic Implementation
Pillar 3: Pragmatic Implementation outlines the practices, processes, and technologies that organizations should consider when building out any DevSecOps program and how to implement DevSecOps pragmatically. The paper offers such key take-aways as:
■ Different role profiles to consider during DevSecOps adoption
■ Common mistakes in designing a DevSecOps team structure
■ Impact of culture on velocity and performance
■ Characteristics of an optimized and productive culture
■ Which technologies and processes underpin the pragmatic implementation of DevSecOps
■ Considerations for various activities across all stages of the DevSecOps process, including threat modeling, developer training, security unit testing, penetration testing, GitOps, secrets and key management, and chaos engineering
Pillar 4: Bridging Compliance and Development
Pillar 4: Bridging Compliance and Development is broken into three parts offering 1) an approach to compartmentalization and assessment with an eye to minimizing operating impact, 2) best practices on how compliance can be designed and implemented into applications, and 3) a look at the different security tooling practices that can provide assurance to compliance requirements. This paper provides actionable, measurable guidance to DevSecOps teams on translating security and compliance requirements into the development cycle thereby ensuring that the gap between compliance and development is addressed.
Pillar 5: Automation
Pillar 5: Automation provides a holistic framework for facilitating security automation within DevSecOps. It offers a series of best practices for automating those security controls, as well as clarification of common misconceptions surrounding DevSecOps security testing. Specifically, the document provides insight into:
■ Triggers and checkpoints that should occur in the delivery pipeline
■ Shifting security left while accelerating right
■ Prioritizing and balancing resources along with deliverability
■ Risk factors throughout the delivery pipeline and how automation can mitigate them
■ Automation best practices beyond DevSecOps
Pillar 6: Measure, Monitor, Report, and Action
Pillar 6: Measure, Monitor, Report, and Action emphasizes the importance of continuous measurement and observability in DevSecOps and offers a detailed exploration of making security data observable, applying these principles to various team performance levels, and improving security observability through effective reporting. Among the paper's key recommendations are the adoption and use of specific principles for enhancing reporting to drive continuous improvement in security. Topics of exploration include:
■ Data observability, specifically turning security data and metrics into observable data
■ Scenario-based review and how security observability can be applied to high- and low-performing teams
■ Improvement through reporting and where companies should start on their security-observability reporting journey
DevSecOps is still relatively new, and I'd encourage anyone interested in shaping its future to join CSA's DevSecOps working group. It's open to anyone — no prior experience is required — and you can participate as much (or as little) as you like. I hope to see you there.
Industry News
December 03, 2024
Red Hat signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to scale availability of Red Hat open source solutions in AWS Marketplace, building upon the two companies’ long-standing relationship.
December 03, 2024
CloudZero announced the launch of CloudZero Intelligence — an AI system powering CloudZero Advisor, a free, publicly available tool that uses conversational AI to help businesses accurately predict and optimize the cost of cloud infrastructure.
December 03, 2024
Opsera has been accepted into the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program, a co-sell program for AWS Partners that provides software solutions that run on or integrate with AWS.
December 02, 2024
Spectro Cloud is a launch partner for the new Amazon EKS Hybrid Nodes feature debuting at AWS re:Invent 2024.
December 02, 2024
Couchbase unveiled Capella AI Services to help enterprises address the growing data challenges of AI development and deployment and streamline how they build secure agentic AI applications at scale.
December 02, 2024
Veracode announced innovations to help developers build secure-by-design software, and security teams reduce risk across their code-to-cloud ecosystem.
December 02, 2024
Traefik Labs unveiled the Traefik AI Gateway, a centralized cloud-native egress gateway for managing and securing internal applications with external AI services like Large Language Models (LLMs).
December 02, 2024
Generally available to all customers today, Sumo Logic Mo Copilot, an AI Copilot for DevSecOps, will empower the entire team and drastically reduce response times for critical applications.
December 02, 2024
iTMethods announced a strategic partnership with CircleCI, a continuous integration and delivery (CI/CD) platform. Together, they will deliver a seamless, end-to-end solution for optimizing software development and delivery processes.
November 26, 2024
Progress announced the Q4 2024 release of its award-winning Progress® Telerik® and Progress® Kendo UI® component libraries.
November 26, 2024
Check Point® Software Technologies Ltd. has been recognized as a Leader and Fast Mover in the latest GigaOm Radar Report for Cloud-Native Application Protection Platforms (CNAPPs).
November 26, 2024
Spectro Cloud, provider of the award-winning Palette Edge™ Kubernetes management platform, announced a new integrated edge in a box solution featuring the Hewlett Packard Enterprise (HPE) ProLiant DL145 Gen11 server to help organizations deploy, secure, and manage demanding applications for diverse edge locations.
November 26, 2024
Red Hat announced the availability of Red Hat JBoss Enterprise Application Platform (JBoss EAP) 8 on Microsoft Azure.
November 26, 2024
Launchable by CloudBees is now available on AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).
