There’s no denying the benefits of DevOps. Indeed, a recent Google Cloud survey conducted by Harvard Business Review found that nearly two-thirds of the respondents who use DevOps have seen benefits that directly impact their bottom line while dramatically enhancing the customer experience. The numbers speak for themselves—speed to market is up 70%, productivity up 67%, customer relevance up 67%, innovation up 66% and product/service quality up 64%, all resulting from effective DevOps.
Setting the Record Straight: DevOps Security Orchestration ≠ SOAR
As DevOps adoption continues to surge, organizations are embracing new security tools that promise to automate processes and enable agility, while bolstering their overall cybersecurity posture. To that end, some have turned to security orchestration, automation and response (SOAR) solutions to augment their SIEM systems, help their SOC teams triage security alerts faster and automate repeatable incident response tasks.
In the context of DevOps security, I’ve often heard SOAR used interchangeably with DevOps security orchestration. But this is misguided. While SOAR orchestrates security response, DevOps security orchestration is on the proactive side (rather than the reactive side) to protect organizations and orchestrate the entire process of application vulnerability scanning and remediation, from tool evaluation and selection to policy-driven scanning to integrated, correlated and prioritized risk analytics to prioritize remediation.
DevOps vulnerability orchestration, however, comprises so much more. It is a continuous process spanning organizational practices, people and technology to provide a complete and accurate picture of what’s being done (or what needs to be done) to mitigate risk across DevOps environments, as well as other systems, micoservices and cloud environments.
It provides the actionable risk and vulnerability intelligence organizations need to holistically oversee and effectively manage security. Additionally, DevOps security orchestration enables businesses to align security and risk postures across new DevOps tools and open source technologies—and realize meaningful efficiencies.
Drawing a Parallel
Here’s a logic game for you. Perhaps you remember this exercise from school?
DevOps is to Digital Transformation as Orchestration is to Secure DevOps
Let’s break it down.
DevOps is to Digital Transformation…
DevOps is also more than just a set of tools. It’s a cultural philosophy that spans people, process and technology, breaking down manual, siloed efforts to promote a fully integrated, agile relationship between development and IT operations teams.
DevOps is fundamentally changing the development and delivery of software—for the better. It’s helping organizations accelerate time-to-market, ensure higher quality products and services and maintain a competitive edge. And, since every organization is now a software organization, DevOps is paving the way for digital transformation—in which digital technology is integrated into every facet of business process, culture and customer experience.
…as Orchestration is to Secure DevOps
Similarly, orchestration is enabling a transformation of a different sort: the organization’s journey to secure DevOps. At its simplest, secure DevOps means application and infrastructure security is deeply integrated into every stage of the software development lifecycle (SDLC), spanning:
- People. Orchestration aligns focus around key risks and business priorities—getting everyone on the same page and speaking the same language (development teams, operations teams, security teams and even executive leadership). It puts the team—instead of the process—front and center.
- Process. Security is no longer on the outside looking in. Just as DevOps brings Dev and Ops together into an integrated working unit, orchestration brings security into the equation from the start—right into developers’ own tools and workflows to ensure security at DevOps speed.
- Technology. Orchestration provides the ability to test, select and onboard all application security scanning tools across the SDLC, from code commit to build to deployment. It also provides a single, uniform way to manage all of these tools. This gives everyone access to the same continuous and consolidated view of risk to critical assets. It’s equally accessible—and it’s automatic.
Orchestrating security across the entire SDLC leads to a host of positive business outcomes, from more secure applications to significant time and cost savings to full visibility into application and enterprise risks. According to the Puppet 2019 State of DevOps report, organizations at the highest level of security integration throughout the SDLC are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration.
Additionally, companies with deeper security integration are able to more effectively prioritize security improvements over feature delivery and are also better able to halt a push to production to address a security issue.
Your Secure DevOps Journey Partner
Are you ready to start your journey to more secure DevOps or need some help along your way?
ZeroNorth is the only company that effectively integrates security into the end-to-end DevOps process, enabling secure DevOps with tools to orchestrate discovery, prioritization and remediation of software and infrastructure vulnerabilities. Tune in to our on-demand webinar, Getting Started with Secure DevOps or get in touch with me at to learn more. We also have a booth at RSAC 2020 so feel free to set up a time to meet at the show.