Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

DevOps and CD in the crosshairs: A new approach for security in 2017

$
0
0

As we settle into 2017, there’s plenty of uncertainty surrounding the security and privacy of our digital world. Much of this uncertainty stems from the escalating intensity ofcyberattacks against consumers and businesses, the evolution of the Internet of Things (IoT)as a weaponized battlefield , anduncertainty as to whatimpact of the incoming administrationwill have regarding the government’s position onprivacy.

But the shift by attackers from systems to the applications is the bigger trend that should worry software professionals. Thisthreat requires a different approach to security. Here's why.

What is the true state of security in DevOps?

Get Report

Hackers zero in on DevOps and CD

Nasty people who want to do ugly things constantly seek out high-value targets that give them the most leverage over victims, with the least amount effort. There’s even a well-known term in certain circles, known as “compromise impact efficiency.”

Continuous delivery / continuous integration a (CD/CI) pipelines that are now widely adopted in agile development and DevOps shops are just such a target. Consider the impact of advanced persistent threat (APT) malware, but applied at the application level, instead of the system level. If threat actors can breach the software development pipeline, they can control your company by subverting its software code and components.

Healthcare and financial services organizations have some of the most valued data, and so are likely tobe attacked first. These attacks will be aggressive and very public, soDevOps teams will need to live up to new standards of testing and prevention ― preferably harmonizing these operations with existing DevOps tools and functions.

DevOps teams become more critical security players

As distributed computing and TCP/IP took hold in the early 1990’s, the information security world revolved around resource access control facility (RACF) and TopSecret―mainframe access management. Distributed computing and network security had never been issues before, so there were no skilled security practitioners to get the job done.

The result: Network security was owned by the network organization. The same thing happened when web application security became a demand: Web developers were responsible for implementing security controls (e.g. web access management) even though the central information security organization was providing guidance and standards.

Just as network security ownership defaulted to network teams in the 1990s, the same will be true for agile security and DevOps teams in 2017. Cloud and agile technologies are being adopted faster than ever, and the industry doesn’t have time to wait for information security to develop the needed skills. Therefore, DevOps teams will be on the hook for implementing actual security controls.

The successful security team will recognize this, and seek to provide tools that harmonize with this trend, instead of fighting it. In so doing, these teams will maintain high degrees of visibility and create leverage for their already-stressed resources.

With new threats comes opportunity

Software professionals have said for over a decade that security should be built in, not bolted on. Here’s a prime opportunity to move towards that reality. How will your team or operations make it happen in 2017?

What is the true state of security in DevOps?

Get Report

Image credit: Flickr


Viewing all articles
Browse latest Browse all 12749

Trending Articles