Articles

The Sword in the Darkness, the Watcher on the Wall

,

What the Game of Thrones Night’s Watch Can Teach Us About DevOps Security

If you are reading this, you probably got sucked into watching Game of Thrones when it first aired on HBO in 2011. It is amazing how much has changed during the eight seasons of the series, but, as a developer and security guy, I find the Night’s Watch story the most interesting. The series debuts with the men in black – a.k.a the Night’s Watch – patrolling the wall. Soon, we learn that, contrary to popular belief, there really are supernatural threats lurking in the darkness that put all of Westeros at risk.

The Wall that the Night’s Watch guard is the only thing standing between the country of Westeros and the deadly White Walkers. However, rather than immediately getting all the resources they need to tackle this danger, the people of the Night’s Watch spend the next seven seasons convincing the rest of Westeros that these threats are real and that leaving the Wall woefully understaffed and poorly defended endangers everyone. Hmm…sounds familiar?

Source de l’article sur DZONE

/par

AppSec in the Age of DevSecOps

,

Awhile back, I had a conversation with a friend that I went to school with (currently a senior member of the engineering team at a large retail chain) who was tasked with the job of identifying potential application security partners (he addressed vendors as partners, which I personally liked) that they could collaborate with on various areas as part of their product security initiative. The following piece emerged as an extension of my immediate thoughts when he shared his views of what could have made his experience of interacting with front line sales and marketing folks better.

In the context of DevSecOps, much has been said about the need for engineering to speak security, security to speak code, DevOps to speak security, etc. But, as a Technology Service Provider (TSP), riding the current wave of application security, its almost mandatory for the Sales and Marketing teams to speak relevant tech!

Source de l’article sur DZONE

/par

DevSecOps Explained in 5 Minutes

,
The history, tools, and metrics of DevSecOps.

Where Did DevSecOps Come From?

Traditionally, software development involved two separate siloed departments: development and operations. The developers were responsible for writing the code and the operatives were responsible for implementing and managing it.

Back then, this software development process, which essentially followed the waterfall process, was simple and straightforward. Consumer demands were manageable, and if any changes or improvements were needed to be made, the operators could ping back to the developers to make the necessary amendments.

Source de l’article sur DZONE

/par

5 Tips for DevSecOps Education and Training

,
Thinking of a master DevSecOps plan…

Whether it was the millions of users left vulnerable by Fortnite, or hackers gaining access to Dunkin’ customer accounts, 2019 has already seen some of the worst data breaches to date. To combat these types of attacks and vulnerabilities, organizations must be more cognizant of their security, and embrace a DevSecOps approach. And to do so, it is imperative that they provide the proper education and training for every facet of the organization.

You may also enjoy:  10 DevSecOps Implementation Principles

But it is important to note when educating organizations about security that some practices and technologies should be encouraged, while others should be avoided. These teachings need to be tailored for different audiences as needed, and new ways of learning and fitting into a DevSecOps scope should be explored in great detail.

Source de l’article sur DZONE

/par

DevOps Security at Scale (Part 1): Security Policy as Code

,

This is the first installment in a series of blog posts on this topic.

Years have passed since the software world first gasped at the high-velocity achievements of Netflix, Etsy, Flickr, and others, watching in awe as they shipped features in less time than other companies could even begin to start planning them. The secrets to their success were collectively characterized as “DevOps” – a new approach to delivering software that focused intensely on continuous integration, continuous delivery, and breaking down barriers between engineering and operations teams in order to ship faster, and with less risk.

Source de l’article sur DZONE

/par

The Value of Security Testing in QA

,

Over in the TechWell Hub, I was recently asked by a fellow community member, "Is there value in having traditional testers do security testing in addition to the testing taking place from our security group?" I thought it was a great question, and it deserves a more detailed response.

For many organizations, traditional software and testing groups are separated from the IT security group. The first is just concerned with functionality, while the latter cares only about security. In many cases this results in adversarial relationships, which almost always leads to some challenges for software development teams:

Source de l’article sur DZONE

/par

Mobile App DevSecOps Practices By the Numbers [Infographic]

,

As DevSecOps takes hold in organizations, there’s a noticeable difference in the maturity of application security testing practices for mobile apps versus web apps. NowSecure sought to understand the role of DevSecOps in the mobile application development lifecycle by polling IT leaders about their release and testing practices. Consult this infographic to see how your organization stacks up against your peers and the top benefits companies have achieved by incorporating security testing into mobile DevOps.

Source de l’article sur DZONE

/0 Commentaires/par

To Succeed, DevSecOps Must Actually Include DevOps

,

Before implementing any DevSecOps tools, you have to embrace that DevSecOps is disruptive to the entire security tool landscape. Too many tools are just putting lipstick on a pig.

But how do you know which ones are lipstick and which ones transform the pig from the inside out? Larry Maccherone laid this out in his talk at our Nexus User Conference. If you’re not already familiar with Larry, he is an industry-recognized thought leader on DevSecOps, Lean/Agile, and Analytics and currently leads the DevSecOps transformation at Comcast. In other words, he knows what he’s talking about.

Source de l’article sur DZONE

/0 Commentaires/par

5 Quick Wins for Securing Continuous Delivery

,

“DevOps is Agile on steroids — because Agile isn’t Agile enough.”

So says Jim Bird, the CTO for BiDS Trading, a trading platform for institutional investors. Jim continued, "DevOps teams can move really fast…maybe too fast? This is a significant challenge for operations and security. How do you identify and contain risks when decisions are being made quickly and often by self-managing delivery teams? CABs, annual pen tests, and periodic vulnerability assessment are quickly made irrelevant. How can you prove compliance when developers are pushing their own changes to production?"

Jim was presenting at the 2018 Nexus User Conference on Continuous Delivery. Pulling on his 20+ years of experience in development, operations, and security in highly regulated environments, Jim laid how and why Continuous Delivery reduces risk and how you can get some easy wins toward making it more secure.

Source de l’article sur DZONE

/0 Commentaires/par