How does the IT security role transform in the world of DevOps?

Security & GRCTraining & Certification
1.9k viewscircle icon1 Upvotecircle icon3 Comments
Sort by:
Executive Coach / Global Chief Information Officer & CISO in Education4 years ago

Every angle has to be looked at. As practitioners we have to look at everything that we can secure. If you're not shifting left and you're not putting all the controls in with the bodies to read you, forget about an automated system. You have to slow down: You have to allocate the time to make sure you have those checks.

It drives me crazy because we hear it and say it—separation of duties, validations, extreme programming. We have all of these concepts that have been around for two decades. Why not try using them? Because that's how you get to these things.  You can't just let systems automate. It’s cute that you have Veracode, etc. But guess what? At the end of the day, a body that needs to validate a lot of these things, especially when you've got key, critical systems.

At least for our old environments, which may not be at that scale, we should be able to do better. A developer should have 10-20% over their mind on those things—even if it's after hours, I don't care. They have to be able to say, "My code is secure. I can attest to having put it through the right tools to make sure that it isn't going to bring the whole company down, whether it's open source or paid." Right now we have a lot of very fast computers but once quantum computing takes off we're screwed.

Lightbulb on3
Worldwide Strategy & Portfolio, Cross Industry (Supply Chain, ESG, Engineering, Customer Experience, Intelligence Automation, ERP) in Manufacturing4 years ago

Security should definitely be integrated but when everyone is scoping projects and budgeting, they're not putting a timeline in there. There's always pushback: "Can you get it done faster? Can you get it done cheaper?" Those are the things that are cut out because they take a long time to figure out when you're not used to doing it and you want to get to the end result the quickest. It's going to be a whole lot of shifting.

Lightbulb on2
VP, Chief Security & Compliance Officer in Software4 years ago

You have to shift left—I don't think there is such a thing as no security in DevOps. We are past the point of security being a central service that will come into your area to scan it. Now you’re going to scan it. You'll learn to understand the integrity of the code.

My team is developing some threat modeling libraries so that we help the developers more by showing them, "Here are the scenarios that you should be thinking about if you’re going to do that with your application. Test it this way." It's not their primary job, so we can't really expect them to think about these threat-modeling scenarios but we definitely should teach them how to incorporate it because we need to shift left.

Lightbulb on2

Content you might like

Experts say a new hacking group that has emerged recently named BlackMatter is using techniques that are similar to the DarkSide group that successfully hacked the Colonial Pipeline Co. earlier this year. Do you think they're the same group?

Yes BlackMatter is DarkSide returning under a new name.50%

No, BlackMatter is a different group from DarkSide.32%

I don't know17%

View Results

Do you think Low Code / No Code platforms will result in fewer developer jobs?

Yes54%

No41%

Unsure4%

View Results

Our organization is subject to data retention requirements over very long periods (50 years or more). Do your organizations face similar constraints? If so, what long-term retention strategy have you implemented for these regulated data, and what technologies or solutions do you use to ensure their durability and compliance?

How frequently does your org update its GenAI training programs for staff? Do you change the training offered to align with new developments in GenAI or new tool capabilities?

Read More Comments

Looking to benchmark. If you are in-process of pursuing the ISO 42001 or have obtained it, how have you measured the business value?