Table of Contents
- Summary
- Definition
- Motivation
- Leadership Perspectives on DevSecOps
- DevSecOps Players
- Key Takeaways
- About Jon Collins
- About GigaOm
- Copyright
1. Summary
To ensure data and services are protected against attack, DevOps is evolving to incorporate cybersecurity practices across the lifecycle. Organizations need to take into account the fast-moving nature of continuous innovation, and a rapidly evolving and fragmented threat landscape: otherwise security can get in the way of delivery speed. DevSecOps seeks to quite literally insert security into the DevOps activity stream, reducing risk without creating bottlenecks or increasing cost.
This report sets out the thinking behind DevSecOps and explains how to protect data and services, assure privacy and trust, and remain compliant, without losing the ability to innovate and scale new software solutions. It is aimed at senior technology decision-makers and security professionals that are facing the challenges of balancing security and innovation.
Key findings are:
- Without appropriate cybersecurity practices and tools, DevOps organizations open themselves up to risk, which could manifest as cost of resolution and unexpected downtime, as well as reputational damage and loss of business.
- Drivers to DevSecOps boil down to reducing the substantial business risk caused by exposing corporate assets and data through applications. The attack surface created by such applications is dynamic and complex.
- Security must not be the poor nephew of DevOps-based innovation, with budget holders prioritizing short-term delivery goals and delivery rate/speed over longer-term risk.
- DevSecOps needs to differ based on organization type (e.g. traditional enterprise or cloud-native), context (e.g. compliance industry), and size.
- DevSecOps helps enterprises treat security as a first-class citizen across development and into operations. The first steps should be based on identifying what is causing the greatest business risk, and what needs to be prioritized.
Technology vendors are categorized according to whether they help strengthen the process, the product, or the infrastructure associated with an application or service.