Security Needs to Shift Left, Too.

Yesterday we, along with about 800 security professionals, attended the DevOps Connect: DevSecOps session at the RSA security conference.  This one-day event brought together dozens of security practitioners to share real world stories, learnings, and best practices for integrating security into DevOps initiatives. Speakers included Paula Thrasher, director of digital services at CSRA and regular C9D9 panelist, Electric Cloud advisor and DevOps author John Willis.  Our friends at Sonatype and several other vendors also had displays.

Making DevSecOps the Path of Least Resistance

Not surprisingly, there were a number of common themes in the presentations:

  • Understand the cost savings from detecting and fixing problems early
  • Secure “from the start” by making developers responsible for securing their code
  • Secure the pipeline as well as the code
  • Enable better communication and visibility/auditability
  • Enable teams to identify problems and fix things quickly

Surprising Data

We took the liberty of surveying attendees about their DevSecOps journey and discovered, not surprisingly, that Security needs to shift left:

  • 38% discover problems in the QA or UAT stage, 26% discover problems in Production
  • 20% said it would take more than a week to produce an audit log, 7% couldn’t do it at all
  • 40% said they didn’t have a secure, versioned or audit-friendly pipeline
  • 40% said it would take more than a week to add a new security tool to the pipeline, 2% said they couldn’t add a new tool at all
  • 30% said it would take more than a week to identify and patch compromised or vulnerable components, 2% also said they couldn’t do it at all

Most attendees were confident in their pipelines and practices.  However, the data clearly illustrates that many teams have a long way to go to become equal members of the software delivery process. Check out our webinar, “You Build It, You Secure It” with John Willis and our own Anders Walgren, as they explain the ways you can for make the “Sec” in DevSecOps silent.

Coming soon on Continuous Discussions:

DevSecOps from the ground up

Stay tuned for the May 1 episode of our #c9d9 video podcast which will be also dedicated to DevSecOps, featuring panelists John Willis, Paula Thrasher, Chenxi Wang, Derek E. Weeks and Alan Shimel.

Add to your calendar

Tim Johnson

Tim Johnson

Tim is product marketing manager at Electric Cloud and focuses on the impact DevOps has on the people and the organizations adopting it.He has over 15 years product marketing experience with industry leaders like BMC Software, Cisco, Google, and SurfControl.He holds an MBA from the University of California, Irvine and is a Scoutmaster and wood turner in his "spare" time.
Tim Johnson

Share this:

Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe via RSS
Click here to subscribe to the Electric Cloud Blog via RSS

Subscribe to Blog via Email
Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Continuous Delivery (#c9d9) Podcast

c9d9 Continuous Discussion on Agile, DevOps, and Continous Delivery

Next episode:

Episode 92:
All Day DevOps

October 9, 10am PT

By continuing to browse or by dismissing this alert you agree to the storing of first- and third-party cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. See privacy policy.