• Home
  • >
  • DevOps News
  • >
  • 5 Steps to Implement DevSecOps – InApps Technology 2022

5 Steps to Implement DevSecOps – InApps Technology is an article under the topic Devops Many of you are most interested in today !! Today, let’s InApps.net learn 5 Steps to Implement DevSecOps – InApps Technology in today’s post !

Read more about 5 Steps to Implement DevSecOps – InApps Technology at Wikipedia

You can find content about 5 Steps to Implement DevSecOps – InApps Technology from the Wikipedia website

Prisma, from Palo Alto Networks, sponsored this post, in advance of Prisma’s Cloud Native Security Live, 2020 Virtual Summit Feb. 11, 2020.

The 1980s gave us many good things, such as U2, Metallica and Bon Jovi (questionable). But from a security perspective, this hair-band era is where the proliferation of security tools began.

Fast forward to today and it seems the IT industry’s rush to invest in security tools was not a good idea. We also haven’t learned from our mistakes. Although research has shown that 65% of cloud incidents were the result of customer misconfigurations, there is still a knee-jerk reaction, with every major breach, to buy yet another tool to fix that particular issue. This is problematic for two reasons:

  1. Security teams are not growing proportionally to the tools they purchase. And…
  2. Cryptographer Bruce Schneier was right: Security tools don’t make us more secure, processes do.
Figure 1: Evolution of Cybersecurity Tools.

Given that there are many security requirements across every cloud technology, security teams must focus on streamlining their security portfolios. How can we avoid the sins of the past? The answer lies not in yet another seemingly sexy point product, but rather DevSecOps as a well-defined process.

Figure 2: Five Steps to Implement DevSecOps.

Step 1: Define Your Future

Before jumping into this project, it is absolutely imperative to know exactly where you want to end up. If you as the security leader cannot clearly define what the end result should look like, your team will struggle. This isn’t about the technical details of how or the method by which it gets done (this is why you have a team) but rather the outcome you want to achieve. Key items include a few statements on what success looks like, accountability, responsibility, resources and milestones. Expect your strategy to mature over time and don’t spend too much time trying to make it “perfect.” Iteration over time is a key component of a DevSecOps mindset.

Read More:   50 Full-stack Developer Interview Questions Most Commonly Asked 2023

Step 2: Discover Code Movement

Whether the security and IT teams know it or not, every organization has a process by which code and changes make their way into the cloud (public or private). The trick for the security team is discovering what the process looks like today. This is about mapping out the who, what, when and where of how your organization pushes code (application and infrastructure) into the cloud. If this is not well-defined in your organization, then it is highly likely focusing here may yield the greatest opportunity for improvement i.e., risk reduction through quality control.

Step 3: Inventory Security Tools

Matt Chiodi

Matt has nearly two decades of security leadership experience and is currently the chief security officer of Public Cloud at Palo Alto Networks. He is a frequent blogger and speaker at industry events such as RSA. He currently leads the Cloud Threat team which is an elite group of security researchers exclusively focused on public cloud concerns. He also serves as an advisory board member for Rutgers University’s Cybersecurity Certificate program and is part of faculty at IANS Research.

While it’s tempting to think your organization can jump to a DevSecOps model, it is not possible without first understanding what is already in your security portfolio. When I ask security teams if they have a list of all security tools in use a vast majority of the time the answer is no. This isn’t surprising as the size of your organization has historically been proportional to your number of security tools. From what I’ve seen, small businesses can have as few as 20 tools while the largest of organizations often have more than 130 (think financial services). In this step, your team will create an inventory of all existing tools, commercial, homegrown and open source. Beyond just a list of tools it is important to track, at a minimum, the following key items:

  1. Why the tool was originally purchased or created.
  2. The risk(s) it was purported to reduce or mitigate.
  3. It’s native ability to consume and integrate with cloud provider APIs.
  4. The openness of its API (how easy is it to get data out of the tool).
  5. Its ability to generate and share contextual threat intelligence (closely related to #4).
  6. Annual cost (be sure to include hard dollars paid to the vendor as well as an approximate estimate of the cost to support the tool with personnel).
Read More:   Update How Do You Weave a Data Fabric?

Step 4: Assess the Gaps

Many organizations use control frameworks such as the Center for Internet Security’s CIS-20, NIST Cybersecurity Framework or the Australian Cyber Security Centre’s Essential 8. If your organization uses one of these or perhaps relies instead on a risk-based framework, this next step involves overlaying this information with your inventory of tools as well as the code movement patterns discovered in step two.

However, no matter which framework your organization uses, it is important to base your gap analysis on an industry standard. This analysis should yield multiple outcomes. First, it will help you understand which tools you own, manage and pay for today. Second, and most importantly, it will give you a direct line of sight into both control gaps as well as overlaps. And finally, it will help you identify how you are invested across the security vendor landscape.

As the leaders in this space have consolidated point products into comprehensive cloud security platforms, organizations can save real dollars. They can also use these platforms to reduce complexity that improved operational efficiencies offer. Critical to achieving DevSecOps is moving from a tangled web of disjointed solutions to comprehensive platforms that support the execution of your chosen framework.

Step 5: Iterate Quickly

The “final” step of the process (okay, it’s not actually final, as DevSecOps requires constant iteration) has two distinct parts. The first is taking what you learned in the gap analysis and applying it to your code pipeline, while the second is investigating and acquiring platform-based cloud security controls that support the execution of your DevSecOps strategy. It is likely that this analysis will mean saying goodbye to many of the point products that have overburdened your team for years. Key outcomes for this step include working closely with development and IT to insert security processes and platforms into the least-disruptive areas of your code pipeline. This is done effectively through the rapid addition of security guardrails (not gates) along the way.

Read More:   5 Best Practices for Kubernetes Security – InApps 2022

Taking a continuous improvement driven approach, fueled by an industry standards-driven gap analysis will generate ample opportunities for improvement. All without requiring 99+ security tools. Teams following this process will be well on their way to implementing DevSecOps. Start small. Ramp quickly. Iterate continuously.

To connect directly with security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to engage and interact with other developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Palo Alto Networks in partnership with InApps Technology, join us on Feb. 11, 2020, for a full day of discussions about cloud native security — brought to you live online wherever you may be.

List of Keywords users find our article on Google:

prisma cloud
prisma public cloud
5 steps to a 5
devsecops jobs
prisma cloud pricing
kafka summit
prisma saas
hashicorp pros
prisma cloud login
prisma cloud api
kafka connect security
palo alto prisma
palo alto prisma cloud
how to implement devsecops
prisma security
fintech live chat outsourcing
edtech live chat outsourcing
consolidated container company jobs
palo alto networks jobs
palo alto prisma public cloud
palo alto networks prisma cloud
palo alto prisma saas
prisma cloud integrations
apache kafka security
palo prisma cloud
palo alto networks developers
kafka cloud native
palo alto networks prisma
implement devsecops
prisma cloud palo alto
devsecops container security
container security standards
devsecops tools
devsecops software
devsecops tool
nist wikipedia
“cloud native security”
base jumping wikipedia
palo alto networks blogs
prisma jobs
rutgers university niche
paloaltonetworks.com email
kafka connect icon
email paloaltonetworks.com
hire prisma developers
palo alto security patrol
palo alto custom app id
prisma order by multiple
prisma saas supported applications
palo alto specs
prisma client
jobs palo alto networks
palo alto custom application
prisma customer service
security guard services palo alto
center for internet security’s critical security controls
virtual office ho chi minh city
paloalto prisma
what is a tangle in devops
devsecops end-to-end encrypted messaging
palo alto networks prisma public cloud
cloud native kafka
prisma paloalto
kafka connect ui
prisma cloud palo alto networks
knee near palo alto
prisma palo alto networks
prisma api
cloud prisma
palo alto networks application framework
rutgers small business development center
bon de reduction about you
prisma containers
devsecops elearning
securing apache kafka
clouds with apache kafka
palo alto networks api
prisma palo alto
devsecops strategy
devsecops pipeline

Source: InApps.net

Rate this post
As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.

Let’s create the next big thing together!

Coming together is a beginning. Keeping together is progress. Working together is success.

Let’s talk

Get a custom Proposal

Please fill in your information and your need to get a suitable solution.

    You need to enter your email to download


      Success. Downloading...