DevSecOps Guide

DevSecOps is the DevOps community’s approach to bringing security into the development lifecycle. Businesses want to deliver software, but cannot afford to release unreliable or insecure applications— therefore security needs to be baked in much sooner than it has traditionally been.

DevSecOps shifts security ‘left’ to find and fix vulnerabilities earlier in the software development life cycle. It includes the benefits of DevOps such as developing, deploying and delivering new features at a rapid pace, but it also provides a more proactive approach to identifying and addressing bug in real time to bring security risks significantly down.

Just like DevOps, culture will remain a barrier to a successful DevSecOps solution. In addition to bringing the developers and operation teams together, now they need to figure out how to work with the security team towards the same goals and objectives. Bringing the security team in sooner will help them understand the code and work with the development team in a more productive manner.

 

How to get DevSecOps right DevOps and security teams are learning how to work together, albeit somewhat awkwardly in these early days of DevSecOps. One reason why it can be difficult to get the partnership “right” is that people define DevSecOps in different ways. AppSec vs. DevSecOps, and what that means for developers Traditional application security is different in two key ways from what has come to be known as DevSecOps. First, modern software companies are integrating application security into their DevOps pipelines, so security becomes part of the flow. Second, it’s also about DevOps being built into application security. Putting developers into application security Making security easy for developers, in their preferred tools, while still generating reports for the CISO is a challenge many organizations face today, when the reality is that late-stage security approaches can’t plug vulnerabilities deep within applications.

IBM releases Code Risk Analyzer to shift security left

IBM has announced the Code Risk Analyzer, a focused effort to bring security and compliance analytics to DevSecOps. The Code Risk Analyzer can be configured to run at the beginning of a developer’s code pipeline and it reviews and analyzes Git repositories for known issues with any open-source code that needs to be managed. It … continue reading

Beware of these creatures lurking in your DevSecOps teams

Halloween is upon us, and while much of the world is focused on scary creatures like ghosts, ghouls, or werewolves, DevSecOps teams have a few scary creatures of their own to deal with.  From the Dracula-like developer stuck in a world from centuries ago who is thwarting the creation of secure apps, to the DevOps … continue reading

AppSec vs. DevSecOps, and what that means for developers

Traditional application security is different in two key ways from what has come to be known as DevSecOps. First, modern software companies are integrating application security into their DevOps pipelines, so security becomes part of the flow. Second, it’s also about DevOps being built into application security. Patrick Carey, who leads product strategy in the … continue reading

Report: 73% of developers sacrifice security for speed

A majority of developers feel forced to sacrifice security for the speed that today’s development cycles require. A recent report from WhiteSource found 73% of security teams at organizations are forced to cut corners, and the AppSec tools they use are to check the box towards DevSecOps improvements and are not effectively used.  “There are … continue reading

SD Times news digest: Windows app development updates, GitLab 13.4, and the Auth0 Marketplace

Microsoft has announced new ways for Windows developers to build applications. The company announced it is working on a unified app platform that will enable developers to leverage new and existing code.  With Project Reunion, the company is working to unify access to Win32 and UWP APIs. “We will provide a common platform for new … continue reading

Progress acquires Chef to extend DevOps and DevSecOps offerings

Progress announced that it entered into a definitive agreement to acquire Chef to provide complete infrastructure automation to build, deploy, manage and secure applications in modern multi-cloud and hybrid environments, as well as on-premises.  Progress is set to acquire the company for $220 million in cash and is expected to close next month. “Chef has … continue reading

SD Times news digest: Checkmarx teams up with GitLab on DevSecOps, Google DevTools update, and Microsoft TileCode

Checkmarx has announced it will integrate its application security testing solutions directly into the GitLab pipeline.  Developers will now have access to automatic SAST and SCA security scans in the event of pull or merge requests, eliminating time-consuming manual scans and allowing developers to find and fix vulnerabilities earlier in the SDLC and make security assessments … continue reading

SD Times news digest: GrammaTech acquires JuliaSoft, Snyk announces prioritization capabilities, and TigerGraph makes updates to GSQL

Software assurance and cybersecurity company GrammaTech announced it will be acquiring code analysis company JuliaSoft. According to GrammaTech, the acquisition will help it expand the reach of the CodeSonar SAST platform to Java and C#. The new language support extends the automated detection of software vulnerabilities to enterprise use cases where safety and security are … continue reading

SD Times news digest: Cloud Security Alliance’s pillars of DevSecOps automation, dotData Stream, and Dynatrace announces AI observability for Kubernetes

The Six Pillars of DevSecOps: Automation paper published by the Cloud Security Alliance provides a holistic framework for facilitating security automation within DevSecOps as well as best practices. “It’s vital that today’s DevOps teams be agile, able to address user requirements dynamically, release features incrementally, and deliver at a faster pace than their predecessors and … continue reading

GitLab announces new acquisitions for its DevSecOps portfolio

GitLab announced two acquisitions this week focused on providing security to its platform. Peach Tech is a security firm that specializes in protocol fuzz testing and dynamic application security testing, and Fuzzit is a continuous fuzz testing solution. “Bringing the fuzzing technologies of Peach Tech and Fuzzit into GitLab’s security solutions will give our users … continue reading

Chef announces new integrated DevSecOps portfolio for compliance, desktop management and app delivery

Chef announced new capabilities designed to enable coded enterprises to build competitive advantage through automation and DevSecOps innovations.  “Since our last ChefConf, we have been intensely focused on harnessing our long experience in operating at massive scale and speed while enabling unprecedented ease of use,” said Barry Crist, the CEO of Chef. The new Chef … continue reading

Focused on application vulnerabilities? You’re missing the bigger picture

In today’s era of digital transformation, every organization must focus on application security. However, focusing on security vulnerabilities alone is unwise because it’s nearly impossible to prioritize what needs to be done. “DevOps teams are sitting in front of a table with the keys to the kingdom on their computers,” said Jake King, co-founder and … continue reading

1 2 3 5
© 2020 D2 Emerge LLC.
HTML Snippets Powered By : XYZScripts.com

Get access to this and other exclusive articles for FREE!

There's no charge and it only takes a few seconds.

Sign up now!