DevSecOps isn’t just a practice, it’s a continuous learning experience. If you want to be successful faster, avoid these common misconceptions.
#1: Business as usual is good enough
Cybercriminals are constantly changing their tactics. If your organization’s application security practices are static, they aren’t as robust as they should be.
“I think a lot of times, people think that things are going to continue as normal. That the same processes, the same organizational structure and the same way you’ve been doing things up until now are going to help you in the future,” said Fernando Montenegro, principal analyst, information security at 451 Research.
#2: Failing to monitor developers’ system access
Jake King, co-founder and CEO of Linux security platform provider Cmd, said during the early stages of rolling out DevSecOps, organizations overlook the access developers have in the environment.
“They’ll grant developers a lot of trust and empower them to do their job as well, but at the same time, they’re not keeping a close eye on what they are doing and how they are doing it – simply ignoring that people are doing very sensitive things,” said King. “It’s like having your CFO being able to process a wire transfer to a country you’ve never made a payment to, independently.”
#3: Failing to monitor code changes
Code is constantly changing, including new or changed configurations, patches and system maintenance, many of which are outside a DevSecOps’ team’s control. The result is that no one is sure what exists in the environment.
“What libraries and packages are out there, not only from a vulnerability perspective but also from an exposure perspective? When you deploy a library, how many supply chain components are you bringing into the fold? How many kinds of upstream vendors?” said Cmd’s King.
#4: Trying to force traditional security methodologies on DevOps teams
The dual-speed nature of DevOps and security can be problematic. If security imposes too much overhead on DevOps teams or suggests solutions that aren’t practical, DevOps may well ignore security.
“Everything – applications, new services, things being updated and shipped – is now moving orders of magnitude faster than they were 10 years ago. Yet a lot of the security mentality hasn’t adapted,” said Zane Lackey, former chief information security officer (CISO) at ecommerce marketplace Etsy. “That gatekeeper mentality ends up getting routed around. We need to shift them to enabling [DevOps] teams so they can really self-serve.”