{"id":111086,"date":"2020-05-11T06:00:19","date_gmt":"2020-05-11T13:00:19","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=111086"},"modified":"2020-05-07T12:43:57","modified_gmt":"2020-05-07T19:43:57","slug":"cloud-devsecops","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/05\/cloud-devsecops\/","title":{"rendered":"Bridging the DevOps and Security Divide with DevSecOps"},"content":{"rendered":"

To keep up with the demands of working in the cloud \u2013 and do so securely \u2013 we need to incorporate security practices into the application development and deployment pipelines. The term \u201cDevSecOps\u201d describes this process. Unfortunately, the transformation to DevSecOps can lead to friction between Security and DevOps teams. The good news is that it doesn\u2019t have to be this way. Enterprises can adopt practices that reduce conflict and help make the journey to DevSecOps successful. Purpose-built security tools can also empower DevOps teams to make this transition.\u00a0<\/span><\/p>\n

Importantly, the information and conclusions presented here are based on conversations I have had with DevOps, Security and DevSecOps leaders from the finance, retail and media industries. Those experiences have given me insight into the concerns these teams tend to have, as well as information and ideas about how they can be addressed.<\/span><\/p>\n

 <\/p>\n

Emergence of DevSecOps<\/strong><\/h2>\n

Innovative products and services catering to end-user needs and preferences require applications to be deployed with great agility, frequency and scale. Consequently, development teams leverage cloud and container platforms in conjunction with a DevOps practice to meet business objectives.\u00a0<\/span><\/p>\n

Security teams, tasked with protecting customer data and apps, have a hard task under normal circumstances. The adoption of highly elastic and scalable infrastructure \u2013 frequently deploying resources from hundreds to a thousand times a day \u2013 puts a tremendous burden on security teams that are ultimately unable to meet these requirements.\u00a0<\/span><\/p>\n

DevSecOps, when done right, has the ability to inject security in a cloud native manner to provide vulnerability management, help with compliance, and offer misconfiguration and runtime protections. However, security and DevOps teams have often been at odds with each other in their efforts to achieve their respective objectives.\u00a0<\/span><\/p>\n

Both DevOps and Security teams can obtain a better understanding of the reasons that contribute to prior failed attempts at DevSecOps. Implementing certain steps can also enable a successful transition.<\/span><\/p>\n

 <\/p>\n

Marching Toward Different Goals\u00a0<\/strong><\/h2>\n

The term \u201cculture\u201d is often used to describe people, process and tools that enable organizations to accomplish business objectives. However, it has been hard for many organizations to embrace and acknowledge the cultural barrier that exists between security and DevOps teams. It is important to understand these differences before discussing their consequences. Some major differences are:\u00a0<\/span><\/p>\n\n\n\n\n\n\n
\n

DevOps Culture\u00a0<\/b><\/h3>\n<\/td>\n

\n

Security Culture<\/b><\/h3>\n<\/td>\n<\/tr>\n

Security inhibits innovation and agility.<\/span><\/td>\nDoes not trust DevOps to get security right.<\/span><\/td>\n<\/tr>\n
Security is hard to adopt.<\/span><\/td>\nNeeds to ensure compliance and protection.<\/span><\/td>\n<\/tr>\n
Security is not a DevOps function.<\/span><\/td>\nDo as I say in order to sanction your application.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

This mismatch precipitates undesirable outcomes for the enterprise as a whole:\u00a0<\/span><\/p>\n