by Chris Bowen
Chief Privacy & Security Officer and Founder
Many organizations have adopted a DevOps model where a trifecta of business units converge to align developers, IT operations, and application delivery into one harmonious model that attempts to remove barriers and speed up innovation. The short version of DevOps is that business leaders identify a problem and create a plan to solve it. Developers take those plans and begin their development methodology (usually Agile) to code, build, and test an application designed to solve that business problem. Technical and business stakeholders agree that the tests are successful, and the application is deployed, and handed off to IT to run (or operate) and monitor its health and performance.
Sounds like a great methodology, right? DevOps…the end-all, be-all in innovation.
Except that it’s not. Not by a long shot.
Why? Because DevOps alone neglects to include critical tests, controls, and reviews added by privacy, security, and compliance functions in the organization. We need DevSecOps.
The Sec in DevSecOps adds critical reviews, functions and controls to prevent problems before they happen.
- Threat models before code is created.
- Static code analysis as code is developed.
- Code reviews as code is assembled into an application.
- Once built, the application is penetration tested to ensure that the app won’t allow intruders, leak data, or be vulnerable to attack.
- Then, someone has to make sure the application complies with applicable law. Just ask TikTok if they could have used that $5.7 million fine from the FTC over COPPA violations for something more meaningful.
- As the application is deployed, log aggregation, collection, and protection must occur.
- And God bless our auditors who then step in upon deployment to make sure everyone is doing what they are supposed to.
- Security teams assemble, and as operations ensue, they gather threat intelligence to prepare for battle with the bad guys.
- Monitoring protocols, tools, and escalation paths are created to ensure that performance or security events are handled effectively.
- And the process continues in perpetuity until the application is retired and decommissioned.
Without the Sec in DevOps, an organization is highly vulnerable.
As a privacy and security professional, allow me to espouse five ways DevSecOps can help your organization de-risk your cloud environments, and protect your organization.
- Help you reduce the risk of data loss or leakage.
- Help you reduce the risk of data privacy and confidentiality incidents.
- Help you reduce the risk of misconfigurations that expose data, credentials, or enable unauthorized access.
- Allow you to catch API vulnerabilities in third-party applications, or in your own apps.
- Help you reduce efforts around patches and software upgrades.
If you have questions about DevSecOps, and getting buy-in from your organization, reach out to me. I’d love to connect you to people who can help!