DevSecOps Is Not About Tools
DevSecOps: Culture? Technology? Fad? The Future.
As development methodology shifts from Waterfall to Agile, and CI/CD systems such as Jenkins and Travis are deployed, Security teams and their tooling become “outsiders” to the DevOps collaboration culture.
Scaling Out Isn’t the Answer
A scale-out approach works extremely well for most infrastructure architectures and applications, but it is completely ineffective in terms of additional security tools and hiring more Security Engineers. This shifts the Security team even farther away from the Development and Delivery process and it doesn’t embrace the core tenets of the DevOps culture — Collaboration, Automation, Measurement and Sharing.
There is no effective way to automate the manual testing processes, nor is there a way to correlate the disparate output and get a true measurement of security resiliency.
Platform Is the New Black
Enterprise platform CI/CD solutions such as GitHub, Jenkins and Travis have greatly helped with automating Application Development, Build and Deliver functions; there needs to be a similar solution for cybersecurity that brings the Security Team back in-line with those processes. At CYBRIC, we believe this approach is what truly creates the “DevSecOps” culture and environment that reduces the need for a large number of tools.
Continuing to “Shift Left”
In my next blog post, I’ll discuss and outline a strategy for cybersecurity efforts to continue to “shift left” and be involved in the application development lifecycle as early as possible.