Right now, live events may be on hold or canceled altogether, but that’s not stopping the DevSecOps community from gathering remotely. We’re heading to DevSecCon24 2020 from the safety of our home offices to participate in the first virtual conference in the DevSecCon global series. This event will follow the sun over 24 hours of inspiring sessions with key DevOps and security industry figures.
Billed as an event run by practitioners for practitioners, this virtual event will be packed with information to help you implement security in your overall development process. Even the Expo has gone virtual. You’ll be able to browse the “hall” to see all the latest DevSecOps technologies and innovations—and meet the experts behind them. As a gold sponsor, ZeroNorth will be there in our virtual booth and available to answer your questions and provide information about how your company can enable secure DevOps. Oh, and it’s all free to attend.
This event seeks to help organizations answer the following questions:
- How can DevOps and Security work together to make continuously secure development a reality?
- And how can you implement security in the overall development process from the supply chain through to the customer experience?
ZeroNorth helps companies do this every day. We’ve seen what works and what doesn’t. Here are some insights—a little conference pre-learning, if you will—to help answer these questions for your organization.
Shift left—but don’t abandon the right.
“Shift left” is a battle cry to build security into the development process earlier. It’s a critical exercise, to be sure, but it’s incomplete. The real goal is to build security into the entire development process, from start to finish and then back again. This requires you to shift left and right simultaneously to cover the full pipeline. Shifting left means integrating security into developers’ tools and processes. But shifting right needs real-time monitoring and collecting telemetry from containers and running applications in the cloud or on-prem. True DevSecOps needs both.
Understand the cultural implications of DevSecOps.
Often, DevSecOps is treated as a development methodology, which isn’t quite accurate. It’s a combination of philosophies and practices to break down barriers between development, QA, operations and security to speed release cycles. Impediments to successful DevSecOps tend to be cultural.
Traditionally organizational structures had separate reporting lines for the different players, all with their own approaches and goals. If that’s your starting point, you can’t simply reorg your way to successful DevSecOps. You must address the cultural challenges that often get in the way of true collaboration. This includes fixing technical competence issues, aligning goals and addressing legacy corporate politics. Executive support and leading by example are critical here. Identifying champions is also effective because it empowers teams to take ownership in developing a collaborative culture.
Break down those pesky tool silos.
It’s not just teams; the tools they use are also fragmented. To secure contiguous CI/CD pipelines you need to address multiple nested silos of tools. Development and security each have their own arsenals, but it doesn’t stop there. Each stage of the software development lifecycle (SDLC)—code commit, build, containers, deployed applications, etc.—is a stovepipe with tools operating in isolation. As a result, most companies use multiple, if not dozens, to uniquely identify and classify vulnerabilities across the stages.
Managing all these disparate tools eats up resources, and more importantly leaves gaps in security across the CI/CD pipeline. You need to build a unified view of application vulnerabilities and risk, correlating data and results from disparate scanning tools. Only then can you prioritize the result to identify and focus on the most critical vulnerabilities first.
Automate Everywhere You Can.
The key word in CI/CD is continuous. This means ongoing, without interruption. And it requires automation across the entire pipeline—from design to development to testing to deployment. Automation enables you to execute routine processes and controls faster. It allows your teams to spend more time on value-adding activities. And it helps eliminate errors at critical hand-off points in the process.
Stop Making Excuses.
The journey to DevSecOps can seem daunting. Too often, organizations want to wait until they have X in place or until Y happens. The key to getting started is… well, to get started. You’re not doing no security today, so take the next step from where you are right now. Start from your comfort zone and build out from there. If you’re already doing some code scanning, maybe you want to expand that. If you’re already doing dynamic scanning or penetration testing, start looking at root causes of observed exploits and scanning container images, builds, code. etc. Once you start starting, you’ll soon begin building momentum, putting you in an ever-improving position to support robust DevSecOps.
We Hope to See You at DevSecCon24!
To recap: Industry luminaries sharing their expertise and practical insights—check.
Opportunity to virtually interact with experts and answer your most burning questions—check.
Peruse the virtual ZeroNorth booth to learn how we can help enable secure DevOps—check.
Have a chance to win a cool prize if you come by our booth—check!
And it’s all completely free and available online, right from wherever you happen to be on June 14-16. If you’re involved in DevSecOps in any way, you really have no excuse not to attend. Don’t forget to register. We hope to see you there!