November 7, 2017 By Rick M Robinson 2 min read

Agility has become an unavoidable necessity in a fast-moving technology environment, but achieving it can be a challenge for organizations and their development teams. The DevOps philosophy provides a road map; following it is not always as easy.

Even more crucial than the need to transform the development process is the need to protect against ever more sophisticated threats and attacks. But some organizations are finding that agility and security can go hand in hand. SecDevOps is an approach to development that puts security right at the heart of DevOps by making it integral to the development cycle.

SecDevOps: Bridging the Gap Between Security and Agility

According to CIO Insight, organizations such as the endowment-based Dana Foundation have found the SecDevOps approach to be an effective way to bring security into DevOps. The result is faster development cycles and more robust security.

The Dana Foundation is primarily engaged in two fields: web activities related to grant management and publishing and outreach operations, including an annual brain awareness week. James Rutt, the company’s chief information officer (CIO), told CIO Insight that the organization was primarily concerned with “code quality and code security,” with a particular focus on protecting against known code vulnerabilities listed in the Open Web Application Security Project (OWASP) Top 10, such as cross-site scripting and forgery.

The SecDevOps approach helped the company speed up its development process while reducing code vulnerabilities by 40 to 50 percent. This impressive performance shows why and how security and agility can form a perfect partnership.

Building Security Into the DevOps Cycle

Experts have been preaching for years that security needs to be built in, not bolted on after the fact. But the combination of conventional, prolonged development cycles with a fluid security environment has made built-in security almost impossible to achieve. After all, if new versions of a software package were only released every couple of years, the security environment would be radically transformed between two successive versions. Developers had no choice but to bolt on new security features.

In the world of DevOps, the software development cycle has become dramatically faster — so much faster, in fact, that code development can now match the pace of new security challenges. Developers are no longer focused on fixing existing code to handle new security threats. Instead, they are constantly building new code as part of the DevOps cycle, which means that new security features can be built in as part of the overall development process. This is exactly what the security community has been preaching all along.

SecDevOps is not a magic trick, but a natural, organic way to approach new security needs in the context of ongoing code development. This is very good news for organizations that are shifting into the DevOps era.

More from Application Security

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today