SecurityWeek : The Fundamentals of Developing Effective DevSecOps
Bolting Security on to DevOps Without Full Integration is Little More Than Keeping Security in its Own Separate Silo
The argument for including security within DevOps has largely been won. It is the basis of security by design, and the most effective way of minimizing dormant app vulnerabilities from the huge number of software developments generated in the modern containerized cloud world.
“The security risks inherent in today’s intricate interactions between multiple technology layers, coupled with the globally interconnected and always-on nature of today’s applications, have been compounded by vulnerabilities lying dormant in systems, software, and hardware,” says John Yeoh, VP of research for the Cloud Security Alliance (CSA). “The result is a field ripe for picking by malicious parties across the world.”
The solution is to expand from DevOps to DevSecOps; but achieving a genuine DevSecOps environment is not easy. Speed in code generation (DevOps) is a different requirement to security in code generation, and one can hinder the other. Simply bolting security on to DevOps without full integration is little more than keeping security in its own separate silo.
“Bridging compliance and development has become necessary because the rapid evolution of development processes and practices have meant that compliance and agile development are no longer aligned.”