Is DevSecOps making a Difference in Information Security?

devsecops
It seems nary a week passes without a story about a hacking incident making the evening news. Additionally, many CIOs report a skills gap when it comes to employing experienced information security professionals. As such, the demand for these IT pros is now going through the roof – as well are their salaries.

So what about DevSecOps, the cybersecurity focused variant of the DevOps methodology, slash, organizational structure? We’ve talked about it in the past and are wondering if it is truly making a difference in today’s technology world. Let’s take a closer look.

The Current State of DevSecOps in the Industry

Last month, SD Times looked at what inroads DevSecOps is making throughout the software development industry. They asked the same question as us: is it truly making a difference considering the never-ending scourge of cyber attacks and similar forms of nefarious behavior. Considering the difficulties some organizations encounter when implementing DevOps itself, it is simply too new to make much impact?

Derek Weeks, vice president and DevOps advocate at Sonatype, echoes that opinion. “I will say I think we’re early on in the DevSecOps movement of practices that are being implemented. I think with the organizations that have attempted to do it, they are seeing early successes and are happy with that. The vast majority of the market has not gotten their feet wet with DevSecOps practices yet,” said Weeks.

When looking at the recent tech news, however, it becomes time to quote Spock: “Mr. Scott, speed is of the essence.” The core of the issue involves successfully implementing security within a software engineering organization’s current DevOps initiatives. If those practices are still emerging, obviously adding the “Sec” to DevOps becomes more difficult.

A Cultural Change is Essential for a DevSecOps Implementation

A successful DevSecOps implementation requires both a cultural shift within a software development shop as well as buy-in from the executive team. Of course, these same things are necessary for switching to DevOps itself. Obviously, a mature DevOps organization will likely find it easier adding security to an existing framework.

Weeks feels security practices need to be actually embedded in the software development workflow, as opposed to tacked to the process after the fact. Making information security practitioners serve as a gatekeeper instead of collaborator isn’t the best approach. They need empathy for the entire SDLC. 

Training software engineers in the proper application of cybersecurity technology ultimately works better. This serves to foster the kind of teamwork and collaboration that is the hallmark of DevOps itself. It also provides companies the chance to close their information security skills gap in an internal fashion.

John Martinez, vice president of customer solutions at Evident.io, commented on the inroads DevSecOps is making at his firm: “I think the DevOps side of DevSecOps has definitely been much faster to respond and I think we’re starting to see, at least on our side, the cross-pollination on the security side where a lot of the agile practices are starting to fit over on the SecOps side.”

Ultimately, DevSecOps is a still emerging practice. However, the importance of companies successfully implementing it cannot be overstated.

That’s it for this edition of the Betica Blog. Stay tuned for additional insights from the wide world of software development. Thanks for reading!

Scale your Organization’s Cloud Operations using Fugue

While Cloud Computing continues to revolutionize the IT industry, DevOps supercharged the pace of this transformation over the last few years. Companies strive to achieve a competitive advantage by both improving efficiency and cutting costs, with Cloud-based technical infrastructures being a big part of this equation. Increasingly these firms use Fugue, an automated tool to assist in the governance of Cloud operations.

Let’s take a high level overview of Fugue and its functionality to see if it makes sense as part of your organization’s Cloud investment. If you are looking at turning DevOps into DevSecOps, it might be the perfect fit.

What is Fugue?

At its heart, Fugue provides automated services for regulatory compliance and corporate policies as they relate to a Cloud infrastructure. It uses a code-based model to facilitate this infrastructure management, thus lending itself to a higher level of regulation, especially at firms implementing DevSecOps. Companies use Fugue as the “single source of truth” when operating and managing their Cloud-based technical assets.

Fugue uses a classical music metaphor to describe its functionality. The programming language used in the application is called Ludwig. Individual programs are known as compositions, while the automation server is called the Conductor. Chef, another Cloud infrastructure management tool, uses food-based metaphors in a similar manner.

Ludwig offers a host of features suitable for software engineers, including types, code validation, and a module-based architecture, allowing complex designs to be broken down into individual abstractions. It facilitates collaboration as well as the documentation that is vital in a regulatory compliance scenario. Once again, this approach illustrates the blurring of technical roles which is a major aspect of DevOps itself.

Scenarios where using Fugue makes Sense

Organizations embracing DevOps with the hope of automating their Cloud operations make up the core of Fugue’s user community. It automates all aspects of CloudOps, including the creation, operation, and maintenance of any size infrastructure. As usage needs increase, the system scales in a seamless fashion – an important consideration in the modern technology world.

It also plays well with other DevOps tools used for Continuous Integration, including Jenkins, Travis, and CircleCI. This helps automate the entire lifecycle of any organization’s Cloud-based infrastructure. Ludwig compositions are also able to be stored in a source code repository, including Git and GitHub.     

The tool truly shines in the management of Cloud-based infrastructures where cybersecurity and regulatory compliance are highly important. As noted earlier, Ludwig makes the creation of vital system documentation an easy process. Fugue supports traditional IT processes relevant to compliance, like change control and policy enforcement – all in an automated fashion.

Companies with an investment in container technology, such as Docker, also benefit from being able to easily create and manage virtual Cloud-based environments. Fugue includes a “no-op” operational mode to properly vet any infrastructure changes before they go live in production. Remember that everything gets documented and stored in source control

In short, Fugue needs to be considered as a valuable tool by any company who relies on the Cloud for their technical operations. It is especially useful for organizations embracing DevSecOps or that require strong regulatory compliance. 

Keep returning to the Betica Blog for additional insights from the software development world. Thanks for reading!