DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Cisco Bets on OpenTelemetry to Advance Observability
  • 5 Technologies Powering Cloud Optimization
  • Platform Engineering: Creating a Paved Path to Reduce Developer Toil
  • Where Does Observability Stand Today, and Where is it Going Next?
  • Five Great DevOps Job Opportunities

Home » Blogs » DevSecOps » DevOps Connect at RSA: In Security, Choose Increments

DevOps Connect at RSA: In Security, Choose Increments

By: Ericka Chickowski on March 3, 2016 2 Comments

Earlier this week the worlds of DevOps and information security collided at the DevOps Connect Rugged DevOps event, held in conjunction with RSA Conference 2016. The security-centric audience got to hear from a number of thought leaders across the DevOps and infosec worlds about ways security pros and DevOps teams can work together and establish incremental improvements in application security, as IT picks up the pace of software delivery.

Recent Posts By Ericka Chickowski
  • 5 Ways DevSecOps Can Manage Software Supply Chains
  • 4 Traits of High-Performance Digital Leaders
  • Are Self-Service Machine Learning Models the Future of AI Integration?
More from Ericka Chickowski
Related Posts
  • DevOps Connect at RSA: In Security, Choose Increments
  • DEVOPS CONNECT: SECOPS EDITION SPOTLIGHTS THE INTERSECTION OF DEVOPS AND INFORMATION SECURITY
  • DevOps Connect: Rugged DevOps @ RSA Conference
    Related Categories
  • Blogs
  • DevSecOps
  • Leadership Suite
    Related Topics
  • conference
  • devops
  • devops connect
  • events
  • forrester
  • rsa conference
  • security
  • security road map
  • trade shows
Show more
Show less

Among the talks, Forrester Analyst Amy DeMartine discussed her team’s findings after studying the “best of the best” in implementing Rugged DevOps patterns. There are seven habits universal across organizations that are succeeding with this new way of developing and deploying secure applications, she notes.

TechStrong Con 2023Sponsorships Available

“Think of it as a fitness program, and the muscles that you are building up are those that strengthen application security,” she says.

These habits included a number of obvious practices, along with a few surprises, including:

  • Increase trust and transparency between Dev, Sec and Ops.
  • Understand the probability and impact of specific risks.
  • Use the continuous delivery pipeline to incrementally improve security practices.
  • Standardize third-party software and then keep current.
  • Govern with automated audit trails.
  • Test preparedness with security games.

All are good tips for getting security, dev and ops to work better at delivering code both faster and more securely. But the seventh habit probably raised the most CISO eyebrows and could have the most potential to effect meaningful change and collaboration:

  • Discard detailed security road maps in favor of incremental improvements.

According to her, the “best of the best” organizations in Rugged DevOps have security leaders that make it a habit to ditch detailed security road maps in favor of a establishing broad vision and achieving incremental security improvements over time.

As she related in her talk, she’s seen too many organizations develop extensive and extremely detailed multiyear road maps only to see them grow obsolete not only because of rapid changes in the IT environment, but also the constant pivots attackers make in their attack techniques.

Instead, she said, security leaders have to take the same continuous improvement approach that their peers in development and operations have made in their shift to DevOps.

“This is a mind shift change that has to happen,” she warns.

To achieve good results, security leaders should be focused on “real-time, actionable measurements” to focus on improvements that matter, such as decreasing remediation time for vulnerabilities.

“In DevOps, we call this Plan, Do, Check, Act, where you’re taking very small changes. Say you want to insert static analysis right after a developer checks in new code. So you’re going to go off and plan. The plan is to insert static analysis,” she says. “Then you’ll do—we’re going to look at tools, we’re going to create our rules. We’re going to check to make sure it works, if it improves things. And then we’re going to move on to the next thing—maybe it’s tightening our rules or maybe it’s adding another tool.”

Filed Under: Blogs, DevSecOps, Leadership Suite Tagged With: conference, devops, devops connect, events, forrester, rsa conference, security, security road map, trade shows

« Testing Mobile Apps? Consider a Mobile Device Cloud
Designing User Experience »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Automating Day 2 Operations: Best Practices and Outcomes
Tuesday, February 7, 2023 - 3:00 pm EST
Shipping Applications Faster With Kubernetes: Myth or Reality?
Wednesday, February 8, 2023 - 1:00 pm EST
Why Current Approaches To "Shift-Left" Are A DevOps Antipattern
Thursday, February 9, 2023 - 1:00 pm EST

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

Cisco Bets on OpenTelemetry to Advance Observability
February 7, 2023 | Mike Vizard
5 Technologies Powering Cloud Optimization
February 7, 2023 | Gilad David Maayan
Platform Engineering: Creating a Paved Path to Reduce Developer Toil
February 7, 2023 | Daniel Bryant
Where Does Observability Stand Today, and Where is it Going Next?
February 6, 2023 | Tomer Levy
Five Great DevOps Job Opportunities
February 6, 2023 | Mike Vizard

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

OpenAI Hires 1,000 Low Wage Coders to Retrain Copilot | Netflix Blocks Password Sharing
February 2, 2023 | Richi Jennings
Automation Challenges Holding DevOps Back
February 1, 2023 | Mike Vizard
Three Trends That Will Transform DevOps in 2023
February 2, 2023 | Dan Belcher
Red Hat Brings Ansible Automation to Google Cloud
February 2, 2023 | Mike Vizard
The Ultimate Guide to Hiring a DevOps Engineer
February 2, 2023 | Vikas Agarwal
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.