Security teams have long had the reputation of being "out of process" — that they add requirements, complicate processes, and disrupt DevOps.
"The reality is that building security into the development process — be it agile, DevOps, DevSecOps, or a mix thereof — remains a significant challenge for many reasons, beginning with the group relationship," says Matt Keil, director of product marketing at Cequence Security. "In many organizations, the teams rarely interact, and the group reputation precedes the meeting. Security is 'Dr. No' and app dev is 'rogue, ignoring security.'"
These preconceived notions and divisions make building security into the software development life cycle an uphill battle for many organizations. Perhaps it is possible that the solution to securing DevOps lies in reframing how we look at the problem.
Is Automation the Answer?Trying to put different labels on security is antithetical to the goal of complementing an existing DevOps process. "When you integrate and use security as part of that automation associated with [the] DevOps pipeline and constant integration orchestration, it works much better," says Matt Rose, global director application security strategy at Checkmarx.
Many dev teams have been told to "shift left" or "shift right," but a good DevOps process is an infinite loop that is constantly moving. In other words: continuous integration (CI), he says. "Automation at CI is the key aspect — the conductor of the symphony orchestra," Rose says.
Automating at every stage of the process isn't really difficult, according to Rose, who ..
Support the originator by clicking the read the rest link below.
