SBN

DevSecOps Beyond the Myths: Cutting Through the Hype and Getting to Results

There’s been a lot of talk and buzz about DevOps and DevSecOps, precipitated by mega technology trends and cybersecurity events shaping our industry. So my colleagues and I were excited to be part of a recent Virtual Summit on “Assembling the Pieces of the DevSecOps Puzzle,” which aimed to move the conversation from defining DevSecOps to enacting it. We are spending a lot of time helping our customers make this shift, so we were thrilled to be able to share our experiences and best practices with you. The Virtual Summit contained a series of sessions on topics such as: tweaking your application security policies in a DevOps world, the changing role of the security professional in a DevOps world, and how to get your developers the security training they need. I encourage you to look at the lineup and take advantage of some of these practical and valuable sessions.

I was lucky enough to kick off the Virtual Summit with a keynote address and answer some of the audience’s early questions. In my keynote, I talked about how DevOps is becoming a necessity in today’s application economy. In a world run by software, it’s critical to develop and release new features continuously, which is where DevOps comes in. DevOps empowers development teams with an iterative process, allowing for continuous deployment of software and introduction of new features at a rapid pace. But many have raised concerns about how security fits into this fast-paced, iterative landscape. Doesn’t continuous deployment just mean continuous opportunities to introduce vulnerabilities? That doesn’t have to be the case if we move to a DevSecOps model, where security is integrated into the DevOps process and which actually gives us the opportunity to create better security.

But, ultimately, this is a big change that affects the culture, processes, technologies and priorities of many teams in an organization, and no change of this magnitude comes without some stumbling blocks. But we’ve seen it work – and seen how “secure” can become part of “quality” software.

I talk about some of these stumbling blocks in my keynote, debunk some of the popular myths surrounding DevSecOps and provide practical recommendations on how to get this done in your organization. I also talk about the enablers for success you’ll need to have in place to avoid making these myths a reality. These enablers include the security team’s openness to this new model, developer security training, and the right security tools. Finally, you’ll hear me answer some excellent viewer questions in my keynote, including:

Will security champions on the development team replace the security team?

Are certain industries more resistant to DevOps?

If security is shifting left, and development is doing the security testing – what does that look like?

You can get my thoughts on these questions in the full recording of my keynote. And if you’re moving toward DevSecOps, or just in the planning stages, please check out some of my colleagues’ excellent sessions from this summit that are packed with tips and advice on making DevSecOps a reality.

*** This is a Security Bloggers Network syndicated blog from RSS | Veracode Blog authored by [email protected] (SKing). Read the original post at: http://www.veracode.com/blog/managing-appsec/devsecops-beyond-myths-cutting-through-hype-and-getting-results