In this post:
-
Why DevSecOps is important
-
Some common challenges in implementing DevSecOps
-
How to start your DevSecOps journey
We recently published the results of our survey from earlier this year where we asked more than 500 IT and Security practitioners about their container and Kubernetes adoption and security strategies. One of the key takeaways was that organizations need to build a bridge between DevOps and security to realize the benefits of tools like containers and Kubernetes. This is because responsibility for securing cloud-native development tools like these is highly decentralized.
Why DevSecOps?
Our survey revealed that across various roles, DevOps is the single role most cited as responsible for securing containers and Kubernetes, but only according to 27% of respondents – hardly a majority.
Taken together, the myriad operational roles of DevOps, Ops, and DevSecOps are considered the primary owners of Kubernetes security by a whopping 66% of respondents. Echoing the need for security to shift left, 15% of respondents consider developers as the primary owners of Kubernetes security, with only 18% identifying security teams as being most responsible. This distribution shows that when it comes to container and Kubernetes security, multiple teams are involved. Traditionally, a Security team has been the central control point for enforcing security and compliance policies. Containers and Kubernetes adoption are often primarily driven by DevOps, so it’s not surprising to see respondents naming them responsible for securing these technologies.
To bridge these gaps, container and Kubernetes security tooling must facilitate close collaboration among different teams—from Developers to DevOps to Ops to Security—instead of perpetuating the silos that may plague organizations.
Most of your peers have started their DevSecOps journey
DevSecOps is no longer just a buzzword—the term encompasses the processes and tooling that allows security to be integrated into the application development life cycle rather than an afterthought. Our survey found good news on this front—the vast majority of respondents say
they have some form of DevSecOps initiative underway and 25% of respondents have an advanced DevSecOps initiative, where they’re integrating and automating security throughout the life cycle.
Navigating your DevSecOps journey
A good place to start on your DevSecOps journey is by learning from your DevOps journey. DevOps has come to reflect a culture that champions principles such as increased collaboration, shared responsibility between engineering teams that spans development and operations, removal of operational silos, and autonomous decision-making, all in the spirit of achieving greater speed and consistency.
DevOps relies on methodologies that leverage automation, continuous integration and delivery, and treating infrastructure and application components as immutable.
Challenges for implementing DevSecOps
These changes can place strains on existing security programs. DevOps-driven adoption of new technologies and processes may leave security as an afterthought or, in some instances, expose new gaps in security coverage and risk management. Security teams must therefore work toward a familiar set of goals for modern computing environments – avoiding security incidents, breaches, and exposures; establishing security best practices and policies to be implemented on an organization-wide basis; managing resources to minimize operational overhead, alert fatigue, tool sprawl, and manual investigative workflows – in ways that align with the approaches that engineering teams favor.
The introduction of new technical architectures and operational patterns associated with DevOps methodologies also results in security challenges that stem from greater complexity – for example, the number of cloud-native technologies that a single organization utilizes can easily climb into the dozens. The sprawl of smaller-sized application components running in containers, microservices, and serverless functions additionally makes it harder to ensure that scalable, strong security controls are applied uniformly across infrastructure and applications.
These challenges are often amplified by existing issues such as misalignment of priorities between engineering and security teams. Security teams are mandated to minimize risk and will disallow tools for which they lack adequate visibility, risk assessment, and control.
The practices that DevOps teams use to achieve scale and speed might make it harder to coordinate the implementation of security controls. However, DevSecOps holds the promise of leveraging these same DevOps principles to better align engineering and security teams on a common goal.
Three steps for beginning your DevSecOps journey
Because DevSecOps is based on the idea that security is everyone’s responsibility, the collective attention on security across engineering and security teams can lower risk for their entire organization. To successfully achieve DevSecOps as a goal requires an organization to understand and implement the following.
-
Security controls must be integrated continuously across the entire software lifecycle from the time that application components are built to when they are running.
-
Security should be implemented earlier in the lifecycle following a “shift left” approach so it can have an outsized impact on improving security and minimizing the overall operational overhead required.
-
It must be recognized that development engineers and DevOps end users are security users: they must be expected and empowered to implement and make independent decisions regarding security controls.
When adopted effectively, DevSecOps can enable an organization to secure their software environments with greater speed, at a larger scale, and more comprehensively when compared to using traditional security strategies that were not designed to safeguard modern infrastructure and applications.
Sull'autore
Ajmal Kohgadai is Principal Product Marketing Manager for Red Hat Advanced Cluster Security for Kubernetes. Prior to its acquisition by Red Hat, he was the Director of Product Marketing and Growth at StackRox, a leading Kubernetes security company.
Altri risultati simili a questo
Ricerca per canale
Automazione
Le ultime novità sulla piattaforma di automazione che riguardano la tecnologia, i team e gli ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Servizi cloud
Maggiori informazioni sul nostro portafoglio di servizi cloud gestiti
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Risorse per sviluppatori
- Supporto clienti
- Calcola il valore delle soluzioni Red Hat
- Red Hat Ecosystem Catalog
- Trova un partner
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit