How DevOps and Development Can Adapt to the New Normal - Part 5
November 20, 2020

DEVOPSdigest posed the following question to the development community: How should DevOps and development adapt to the new normal? In response, DevOps industry experts offered their best recommendations for how development teams can adapt to this new remote work environment. Part 5, the final installment in the series, covers security.

Start with: How DevOps and Development Can Adapt to the New Normal - Part 1

Start with: How DevOps and Development Can Adapt to the New Normal - Part 2

Start with: How DevOps and Development Can Adapt to the New Normal - Part 3

Start with: How DevOps and Development Can Adapt to the New Normal - Part 4

DEVSECOPS CULTURE

For a long-term, remote work environment to be safe and successful, security tools and processes need to be fully integrated throughout every stage of the development cycle. It's time to build a DevSecOps culture. To do this, form a team that seamlessly embeds security within engineering. You'll need security team members to have expertise up and down the stack — think networking, application access, compliance and architecture. Have security take part in standups and help with scrum planning and execution. Set up real time communications channels, like a Slack channel and email alias — destinations where developers can get input from security as they code. The result? Developers know they can solicit feedback from security at any point in the development lifecycle. And that creates a full-on, immediate feedback loop, which makes it rare that security concerns bubble up in the late stages of the development cycle.
Rob Juncker
CTO, Code42

BALANCE SPEED WITH SECURITY

While deployments are faster with individual contributors working remotely, DevOps leaders need to make sure that they balance the speed with security in order to successfully transition and adapt to remote work.
Rahul Varshneya
Co-Founder and President, Arkenea

AUTOMATED SECURITY

The COVID-19 pandemic has changed working conditions in a profound way. Budget cuts and new workflows owing to a remote structure are causing new strains on DevOps teams. In the face of these challenges, the use of automated technologies and approaches across the entire development cycle must become a priority for improving operational efficiency. The functionality these tools provide by boosting productivity without increasing costs or slowing development cycles has become essential, especially as the pandemic accelerates the rate of patches and new releases as organizations attempt to adapt to this new normal. As organizations adjust existing DevOps methodologies in the context of the pandemic with the goal of increasing release frequency, automated security technologies within the continuous integration, delivery, and deployment (CI/CD) toolchain will be key to maintaining agility.
Matt Rose
Global Director Application Security Strategy, Checkmarx

The pandemic and resultant work from home of IT and development teams has increased the vulnerability of software. Strong security measures are needed to be in place before every deployment. Automated security checks for checking vulnerabilities in your architecture are a must when teams are working remotely. Automated infrastructure checks need to be implemented to minimize the chances of vulnerabilities through human error.
Rahul Varshneya
Co-Founder and President, Arkenea

APPLICATION SECURITY AUTOMATION AND ORCHESTRATION

The new normal of a highly remote workforce is increasing the requirements for DevOps teams to deliver software capabilities — fast. As DevOps takes off, the spotlight is shining on the need for strong security around those applications. And while developers are now being measured on both the quality and security of their code, they lack the tools and skills needed to meet security expectations. What developers need is an application security automation and orchestration platform that unifies DevOps and security teams by making it easy to integrate security into development without changing the way developers work. By doing so, these teams are able to join forces to ensure the software they deliver is of the highest quality — and the most secure possible.
John Worrall
CEO, ZeroNorth

RBAC

With a remote workforce, you dramatically increase the attack surface of your network. Every private laptop and VPN used by workers at home represents an additional endpoint that can be exploited by hackers. For remote DevSecOps teams working with Kubernetes, it's important that role-based access control (RBAC) policies are tightened so that workers only have access to containers when absolutely necessary, limiting the ability for attackers on compromised endpoints to propagate attacks laterally between pods and containers, or to escalate privileges and access sensitive data. If attackers do gain entry, Kubernetes audit logs can reveal evidence of anomalous behavior. Reviewing the audit logs can also bring to light evidence of misconfigured RBAC and other vulnerabilities in security policies. With machine learning, you can automate audit log monitoring to flag possible threats before the damage is done.
Amir Ofek
CEO, Alcide

PAM

DevSecOps teams should focus on building out their PAM solutions to avoid credentials being stolen as users VPN in from remote locations, which may not have secure MiFi or WiFi.
Russell Rothstein
Founder and CEO, IT Central Station

Since the shift to remote work, DevOps has completely taken over. Agility is now king. Organizations are using containers, microservices and serverless compute such as lambda that are blending the lines between development, operations and security. As companies look to adopt best practices for DevOps in the "new normal" we are facing, incorporating modern methods of privileged access management (PAM) to protect organizations from cyberattacks becomes key to ensuring the software development pipeline remains intact.
With development, operations and security teams spread out because of the pandemic, organizations need a centralized PAM solution architected in the cloud, for the cloud, to address threats such as credential-based attacks and phishing. PAM solutions that support more modern application-to-application password management (AAPM) approaches can help DevOps teams secure both human and non-human identities even in the remote work environment. Methods such as secure shell (SSH) keys, ephemeral tokens and delegated machine credentials can seamlessly incorporate PAM into the DevOps pipeline. Ensuring secure access that improves an organization's security posture and agility can keep development, operations and security teams on the same wavelength without compromising speed or security.
Tony Goulding
Cybersecurity Evangelist, Centrify

LOCAL SECURITY APPROVALS

The reality of remote work for software engineering makes the importance of local security approvals even more imperative. To ensure software can be delivered safely at speed, engineering teams should be accountable for the security of changes in the systems they develop and maintain with assistance by a security team that functions as a collaborative advisor. When venturing into unknown situations, like a rapid shift to remote-only work, it can be tempting to implement heavier approval processes — but this ultimately erodes stability by hindering the ability to continuously improve systems.
Kelly Shortridge
VP of Product Management & Product Strategy, Capsule8

AUDITING AND COMPLIANCE

The shift to a remote workforce has meant — and will continue to mean — that enterprises are exposing critical container-based applications to the public internet. Increasingly distributed work therefore also increases exposure to both external and insider attacks and data breach threats, if DevOps and DevSecOps teams cannot put countermeasures in place. Run-time auditing and compliance checks through CIS benchmarks, secrets auditing, and custom container audits are basic security requirements that are all the more important for distributed workforces. These strategies will help secure communications and extend the safeguards that protect enterprise networks in distributed work-from-home environments.
Glen Kosaka
VP Product, NeuVector

ISOLATED WORKSPACES

Given that developers often work with the code that is their employer's core intellectual property — the company's "crown jewels" — their endpoints present a security risk under any circumstances, let alone the expanded attack surface exposed by the shift to more remote and distributed work in response to COVID-19. For companies relying on legacy remote access solutions like VPN, VDI or DaaS, this usually means putting restrictions on endpoints — denying worker access to certain websites; prohibiting third-party applications and/or peripherals; banning the use of personal laptops for company business; denying admin-level permissions on corporate devices, even if each of these restrictions inhibits worker productivity. The answer is to leave those legacy solutions behind and deploy isolated workspaces — OS-based isolation to strongly protect corporate assets, both on corporate-owned devices and on non-corporate devices, allowing developers to work freely without compromising security. An isolated workspace approach puts an end to the outdated notion that developers' freedom of access and corporate security need to be competing priorities.
Marc Gaffan
CEO, Hysolate

Share this

Industry News

November 21, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.

November 21, 2024

Securiti announced a new solution - Security for AI Copilots in SaaS apps.

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.