• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Tech News»Creating a DevSecOps-friendly cyber strategy
Tech News

Creating a DevSecOps-friendly cyber strategy

September 9, 2022No Comments5 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Lots to consider when buying cyber insurance, so do your homework
Share
Facebook Twitter LinkedIn Pinterest Email

As DevSecOps become more complex – with various IDE platforms, coding languages, open source components, multicloud environments, and so on – the risk of potential breaches, vulnerabilities and compliance violations increases. Therefore, it is imperative that CISOs, CIROs and general cyber security risk managers continue to step up to the challenge of adapting to DevSecOps that are constantly evolving.

This puts significant pressure on security teams to manage security findings, secure infrastructures, developments and sensitive data while adhering to regulations in complex environments. More importantly, this is all to be achieved while keeping pace with compressed release cycles along with finite expertise, resources, budgets and tools.

It is worth keeping in mind that you will also have to secure the physical data store itself and not just the DevOps deliveries to avoid your environment being the target of a ransomware attack, a major leak of code or, even worse, a customer data leakage.

Securing DevSecOps often falls into the hands of developers. Requirements signed off in sales bids for things that may not have been done in the past somehow land on innocent developers’ desks. A common remark echoed through all development teams is “that’s not our job” and traditionally, in the past, it wasn’t because code was built to work, not to be secure.

Standard DevSecOps fails to integrate security needs and stakes into processes. There is often no consideration on how their releases and changes affect security – or, worse, teams are under pressure to rush releases and to gain time bypassing security needs.

See also  New player pioneers ‘active cyber insurance’ for UK market

Security reviews can sometimes be treated as an afterthought, often on a purely compliance approach and performed late in the process, if at all: “the auditor is in tomorrow, quick do some cyber security!” This nearly always leads to delays in delivery when substantial last-minute mitigations are needed to address security findings. This is time-consuming and it’s extremely likely that your team won’t be able to keep up with the pace of deployments and environment changes without taking lots of shortcuts.

Since slowing down isn’t an option, you need to propose a security strategy and model that is development and DevSecOps-friendly. An integral part of the entire app lifecycle is identifying and remediating security issues as early as possible. This also saves costs, avoids rework and reduces risk by ensuring deliveries are secure before they are deployed. That’s what DevSecOps aims to do.

DevSecOps allows you to take into account cyber risks, drive better security practices, offer security dashboards and provide reporting enriched with full context and integrate this into developers’ tools and processes. This unifies security across cloud infrastructure, data protection, and application deliveries.

The key to success is to ensure that everyone in the delivery pipeline shares accountability for security and everything is as automated as possible with accountable stop gates.

The core of your DevSecOps strategy will rely on a security baseline, Common Vulnerabilities and Exposures (CVE) tracking and a risk tolerance definition paired with a risk/benefit analysis for security deviation request and security issues management. CVEs can be the backbone of your DevSecOps. Your app will definitely have dependencies – it might be Java, Apache, or even something like Log4J, all of which could significantly compromise your app’s security.

See also  Microsoft appears to reverse VBA macro-blocking

So, what security level is necessary for a given app regarding its attack surface? How important is speed to market? Your strategy needs to be defined jointly by security team/delegates in direct communication with business stakeholders and DevSecOps teams. It will help to build-in information security and set a plan for security automation to achieve real secure-by-design delivery.

There is a need to help developers code with security in mind. To do that, a process that involves security delegates sharing threat intelligence, best practices from industry standards like OWASP or CIS and an understandable security baseline is key. Introducing security training for developers and operators can be useful since it hasn’t always been a focus in more traditional application development.

CVEs can be notoriously tricky to follow and some applications could have seen decades of developers working on them. There may be dependencies which are 10 years old hiding in your app, which the newest developer has no inkling about, “but it must be there for a reason”, right? When a new CVE surfaces for such a dependency, it’s possible you might not even notice. Who is looking for security notifications from that vendor? Probably no one. Automation is key to this. Nesting CVE checkers into the pipeline to do those checks autonomously is imperative.

To help security and non-security personnel make informed decisions, your DevSecOps tools will also need to identify and correlate multiple factors to be integrated with IT service management tools. However, effective DevSecOps requires more than new tools. It requires a cultural change to integrate the work of security teams sooner rather than later.

See also  How you can change your Apple ID password in three other ways

One of the biggest challenges is cultural change. DevOps teams are under huge pressure to maintain a rapid pace and are very likely to say that security is “slowing them down”. On the other hand, security teams or their delegates are primarily focused on securing apps, code, infrastructure and data. In other words, it’s difficult to work together when teams’ goals are divergent. You need to unify their goals and show them the long-term, cross-team benefits of DevSecOps.

With better collaboration and a better understanding of cyber risks and threats, your team will be better equipped to implement much-needed guardrails for developers to incorporate into their daily work, reducing friction between the teams. As an example of better communication, keeping your developers informed about security findings such as vulnerabilities, configuration errors and incidents, helps them to understand the value of security.

Source link

Creating Cyber DevSecOpsfriendly strategy
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

How To Make Curated Content A Winning Element Of Your Content Strategy

September 24, 2023

The Entrepreneur Creating A Buzz Around His Hot Honey Brand

September 12, 2023

25 Years Ago Steve Jobs Launched the First iMac—and the Strategy That Saved Apple

August 18, 2023

How To Leverage An Omnichannel Marketing Strategy To Reach Your Audience Wherever They Are

July 17, 2023
Add A Comment

Comments are closed.

Editors Picks

Samsung Galaxy Buds 2 Pro review

August 25, 2022

10 Common Pain Points Of Building A Company Culture (And How To Address Them)

August 27, 2022

The Pokémon Company sues Chinese mobile game company over intellectual property infringement

September 5, 2022

Increasing Workload? Nine Ways Leaders Can Help Their Small Teams Avoid Overwhelm

August 15, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.