Secdevops or devsecops or devops next-generation (NG) – What is your take on devops?

Source – csoonline.com

I recently had the opportunity to attend and present at the Advanced Technology Academic Research Center (ATARC) Devops Summit last month. There was, as expected given the topic, a huge turn-out of US federal, commercial and public-sector participants looking to learn, connect and share lessons from adopting and implementing devops in their organizations.

A key moment at the summit conference was an informal survey of over 200 participants by Tom Suder, the President of ATARC. Tom pulsed the attendees by asking if security should be incorporated into the devops name.

The responses were interesting and thought provoking – some folks strongly agreed that security absolutely needed to be part of the evolution of devops. Other attendees equally strongly felt that devops is really a culture of using automation to drive change and should perhaps be folded into change management! There was much debate about what was devops and how it helps deliver faster by integrating and breaking down IT silos.

Secdevops or devsecops?
There are several variations, such as secdevops or devsecops, that have sprung up since the word devops started hitting mainstream awareness a few years ago. Cloud, devops and microservices cheerleaders like Adrian Cockcroft have demonstrated how organizations can transform to take advantage of new digital technologies. What is your take on what devops really means? Gene Kim the author of the Phoenix project has published his thoughts in a sequel to his really popular book called Beyond the Phoenix – The Origins and Evolution of Devops. I have been part of healthy debates at both large organizations and small businesses the evolution of devops – is devsecops or secdevops the right variation to adopt. Clearly the time is ripe to contemplate and explore what’s next after devops?

Security and compliance must be a core to developing and deploying digital assets
I have been lucky to be on the frontlines of Cloud Computing and devops adoption since 2009 with the deployment of the Recovery.gov System in the AWS cloud. Automation has been the key underlying driver towards delivering accelerated business capabilities using IT.

However, the increasing number of cybersecurity breaches and increasing emergence of compliance requirements such as Department of Defense DFARS 7012, NIST SP 800-171 and GDPR underscore the need to address the growing compliance and security backlog. I strongly believe that secdevops is the right way to think about devops. Secdevops conveys a SecurityFirst mindset that uses proactive and meaningful ways to ensure that the business benefits of IT can be safely delivered to users and consumers.

Secdevops means the incorporation of security best practices into the continuous integration/continuous deployment (CI/CD) pipeline. These discrete activities include static code scanning (SAST) using either open source or commercial tools like Yasca, Checkmarx or similar; dynamic binary scanning (DAST) using solutions like Veracode; vulnerability and penetration scanning using Nessus or similar solutions; and advanced security testing like Fuzzing to detect non-obvious security defects.

The secdevops philosophy goes even deeper – we seek to include and integrate the Chief Information Security Officer (CISO) function as part of the development pipeline. Through the automated generation of compliance reports we can deliver a more proactive security posture that goes beyond log analysis, monitoring and alerting. Security must be automated and integrated as part of the core development process and not be seen as a “bolt-on” that slows the entire production process.

Emerging security and compliance solutions like stackArmor ThreatAlert perform dynamic scans that cover the entire stack including user access, application, data, docker containers, operating system and the AWS cloud. The ability to generate and produce compliance reports required by HIPAA, FedRAMP, GDPR and NIST security standards as part of the development and deployment process help reduce compliance costs and ensure the confidentiality, integrity and availability of digital assets.

Serverless and low-code platforms are on the horizon – is it time to expand the definition of devops?
New technologies like Serverless computing and low-code platforms such as Mendix and OutSystems amongst others are popping up and possibly driving the next generation of automation. Low-code platforms offer an exciting new capability that allows business analysts to code and deploy software through standardized “application objects.” Just as Docker container have helped implement microservices, low-code platforms offer higher levels of abstraction that allow the use of visual coding and development techniques. This will allow creating a larger community of digital developers beyond the traditional coders and programmers.