The Total Economic Impact of CloudBees - commissioned study shows cost savings of $30.9 million using CloudBees for CI/CD →

Security Needs to Shift Left, Too.

Written by: Electric Bee
2 min read

Yesterday we, along with about 800 security professionals, attended the DevOps Connect: DevSecOps session at the RSA security conference. This one-day event brought together dozens of security practitioners to share real world stories, learnings, and best practices for integrating security into DevOps initiatives. Speakers included Paula Thrasher, director of digital services at CSRA and regular C9D9 panelist , CloudBees advisor and DevOps author John Willis. Our friends at Sonatype and several other vendors also had displays.

Making DevSecOps the Path of Least Resistance

Not surprisingly, there were a number of common themes in the presentations:

  • Understand the cost savings from detecting and fixing problems early

  • Secure "from the start" by making developers responsible for securing their code

  • Secure the pipeline as well as the code

  • Enable better communication and visibility/auditability

  • Enable teams to identify problems and fix things quickly

Surprising Data

We took the liberty of surveying attendees about their DevSecOps journey and discovered, not surprisingly, that Security needs to shift left:

  • 38% discover problems in the QA or UAT stage, 26% discover problems in Production

  • 20% said it would take more than a week to produce an audit log, 7% couldn’t do it at all

  • 40% said they didn’t have a secure, versioned or audit-friendly pipeline

  • 40% said it would take more than a week to add a new security tool to the pipeline, 2% said they couldn’t add a new tool at all

  • 30% said it would take more than a week to identify and patch compromised or vulnerable components, 2% also said they couldn’t do it at all

Most attendees were confident in their pipelines and practices. However, the data clearly illustrates that many teams have a long way to go to become equal members of the software delivery process. Check out our webinar, “You Build It, You Secure It” with John Willis and our own Anders Walgren, as they explain the ways you can for make the “Sec” in DevSecOps silent.

Coming soon on Continuous Discussions:

DevSecOps from the ground up

Stay tuned for the May 1 episode of our #c9d9 video podcast which will be also dedicated to DevSecOps, featuring panelists John Willis, Paula Thrasher, Chenxi Wang, Derek E. Weeks and Alan Shimel.

All Blog Articles

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.

Related Content

The DevOps Performance Paradox: A Call to Arms for Organizations

Blog
4 min read

Feature Flags vs. Feature Management: A Technical Deep Dive for SREs

Blog
7 min read

Analyzing CloudBees CI's High Availability: Performance, Bottlenecks, and Conclusions

Blog
6 min read

Unlocking ROI: The Financial Impact of CloudBees Based on an Independent Consulting Study

Blog
4 min read

CloudBees CI add-on for Amazon EKS blueprints

Blog
6 min read

CloudBees CD/RO v2024.03.0 Release Brings IPv6 Support, DSL Git Synchronization CLI, and Enhanced Security

Blog
3 min read

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.