Security Needs to Shift Left, Too.

Written by: Electric Bee
2 min read

Yesterday we, along with about 800 security professionals, attended the DevOps Connect: DevSecOps session at the RSA security conference. This one-day event brought together dozens of security practitioners to share real world stories, learnings, and best practices for integrating security into DevOps initiatives. Speakers included Paula Thrasher, director of digital services at CSRA and regular C9D9 panelist , CloudBees advisor and DevOps author John Willis. Our friends at Sonatype and several other vendors also had displays.

Making DevSecOps the Path of Least Resistance

Not surprisingly, there were a number of common themes in the presentations:

  • Understand the cost savings from detecting and fixing problems early

  • Secure "from the start" by making developers responsible for securing their code

  • Secure the pipeline as well as the code

  • Enable better communication and visibility/auditability

  • Enable teams to identify problems and fix things quickly

Surprising Data

We took the liberty of surveying attendees about their DevSecOps journey and discovered, not surprisingly, that Security needs to shift left:

  • 38% discover problems in the QA or UAT stage, 26% discover problems in Production

  • 20% said it would take more than a week to produce an audit log, 7% couldn’t do it at all

  • 40% said they didn’t have a secure, versioned or audit-friendly pipeline

  • 40% said it would take more than a week to add a new security tool to the pipeline, 2% said they couldn’t add a new tool at all

  • 30% said it would take more than a week to identify and patch compromised or vulnerable components, 2% also said they couldn’t do it at all

Most attendees were confident in their pipelines and practices. However, the data clearly illustrates that many teams have a long way to go to become equal members of the software delivery process. Check out our webinar, “You Build It, You Secure It” with John Willis and our own Anders Walgren, as they explain the ways you can for make the “Sec” in DevSecOps silent.

Coming soon on Continuous Discussions:

DevSecOps from the ground up

Stay tuned for the May 1 episode of our #c9d9 video podcast which will be also dedicated to DevSecOps, featuring panelists John Willis, Paula Thrasher, Chenxi Wang, Derek E. Weeks and Alan Shimel.

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.