You Build It, You Secure It – Higher Velocity and Better Security with DevSecOps
In a recent DevOps.com webinar, John Willis – Electric Cloud advisor, co-author of “The DevOps Handbook” and “Beyond The Phoenix Project” – and VP of DevOps and Digital Practices at SJ Technologies joined Anders Wallgren, Electric Cloud CTO, to share key insights that will help development and IT operations teams increase delivery velocity and harden their pipelines by shifting security left to be earlier in the process.
Here are some of the key takeaways from their discussion:
- “You build it, you secure it”: When the DevOps movement started over a decade ago, there was a flip in the mindset that code is no longer thrown over the wall from developers to operations. The same thing now needs to happen with security – it is a systemic approach that everyone owns from end-to-end.
- Shift security left: Security is all about timing. If it’s not baked into your pipeline from the very beginning, you may find yourself trapped in a “gotcha” moment after a deployment. Security should be integrated into every single step of your software delivery process.
- Check your hygiene: Wallgren specifically mentions that the software delivery industry is notoriously bad at good hygiene. What does this mean? When you have a known defect, how long does it take you to recover? Good hygiene is being able to make quick fixes, fast.
- Change your behavior: Of course it’s polite to hold the door open for a person walking in to your office with arms full of boxes and papers. But, is the same still true if you don’t know them? Security is just as much about culture and behavior as it is tools and process. Strictly following security rules and measures, at the sake of being “rude,” is crucial to minimizing risk.
- Security should be the path of least resistance: Make it so that the default thing that anyone does in the organization is secure.
Want to bake security into your software delivery pipeline? ElectricFlow can help! With ElectricFlow you can:
- Model and Automate Everything: No need to re-invent the wheel because models are repeatable, auditable, and manageable.
- Monitor and Track Releases: Dashboards, tailored for each stakeholder, provide at-a-glance understanding of the health of your release.
- Provide Environments and Automation as a Service: Governance is a breeze because reusable components and automatic audit trails easily meet compliance and regulatory needs.
- Adopt New Technologies Safely: Ensure consistency and reusability of everything, across new and existing architectures, technologies, and processes.
- Build-in Security and Compliance: Shift-left security and compliance as an integral part of the pipeline, so it’s doesn’t become a bottleneck at the last moment.
Plus, catch the replay of our May 1 #c9d9 episode which was also dedicated to DevSecOps, featuring panelists John Willis, Paula Thrasher, Chenxi Wang, Derek E. Weeks and Alan Shimel.