DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • Calendar View
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • Calendar View
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • CI/CD
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Sustainability
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Checkmarx Brings Generative AI to SAST and IaC Security Tools
  • Linux Foundation Europe to Host RISE Open Source Project
  • I Guess This is Growing Up: Devs and CISA’s Secure-by-Design Guidelines
  • Forget Change, Embrace Stability
  • Finding Your Passion

Home » Blogs » DevSecOps » Moving Security To the Left In a DevOps World

Moving Security To the Left In a DevOps World

By: Andrew Storms on October 1, 2014 2 Comments

Moving security to the left has become a coined phrase meant to describe the process of getting the security team involved earlier in a process.  Most typically, the phrase is used in conjunction with IT or software development projects. One of the top suggestions for ensuring security in a DevOps world is to move security to the left in the process tool chain. But what exactly or how exactly can you move security to the left?

Recent Posts By Andrew Storms
  • Lean Security: How Better Development Can Protect Your Business
  • DevOps Security Talks At RSA USA 2015 Conference
  • Security Should Be the Top Driver for DevOps
More from Andrew Storms
Related Posts
  • Moving Security To the Left In a DevOps World
  • Does Security Slow Down DevOps?
  • DBmaestro Unveils TeamWork Version 5.0
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • collaboration
  • devops
  • devops culture
  • enterprise
  • secdevops
  • secops
  • security
Show more
Show less

Grab that Open Seat

TechStrong Con 2023Sponsorships Available

The new DevOps process pipeline created an opening for a seat at the table for security. Prior to DevOps, the development team owned the entire pipeline from plan to release.  The Ops team would historically receive the release from over the wall and then be responsible for the deployment and operating the software inside the production environment.  With the Ops team joining forces with Development in the process pipeline, that has opened a proverbial seat at the table. What I’ve started to witness are security teams taking advantage of the musical chairs to quickly grab the open spot.

DevOpsProcessPipeline

 

Taking a seat at the end of the development pipeline is not enough.  Too many security teams are still being relegated to positions too late in the process.  While running pen tests and security code reviews after a release is better then nothing, its still not ideal.  Security needs to find ways to add value to the process so they can act as a force for positive change instead of the after thought.

Threat Vector Analysis

Threat vector analysis is part science and part art and part trying to guess uncertainty. What is certain, however, is that most developers would rather be spending their time writing new functionality instead of trying to understand how an attacker could be break their code. The security team could offer a tremendous service to an organization by offering their expertise in this area.

Continuous Integration Security Testing

Continuous integration is a key component of DevOps. The security team can leverage the development chain to insert early yet important risk control tests. Those tests could be for example static or dynamic code analysis. Other tests could be simple yet known vulnerability checks in included libraries. The OWASP introduction to testing guide lists a plethora of application security tests that should be checked often and early.

Author Micro Security Services

Think about how great it would be if there was a group who specialized in authoring and delivering security related services into your application?  Proponents of services models generally promote splitting the development team up into groups that are organized around business capabilities.  For example, there are separate development groups for UI, middleware and DB.  What’s missing in most of those models is who is responsible for security services such as authentication, authorization and audit. Security has an opportunity just waiting for them to add incredible value while also ensuring the security services used pass muster.

Summary

Where we once had Ops fighting their way to be part of the entire development process, we now have security trying to do the same. Ops managed to garner their way into the club by coming to the table with invaluable skills and resources. Now its up to security to present their creative sweet spot in order to secure their own seat at the table.

Further Reading

Andi Mann on Ensuring security and managing risk in enterprise DevOps

Filed Under: Blogs, DevSecOps Tagged With: collaboration, devops, devops culture, enterprise, secdevops, secops, security

« Monitor mobile apps behavior with freemium tool from AppDynamics
IBM Interconnect 2015 Call for Papers »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

App-Solutely Necessary: Why Modernizing Your Apps Is A Must Hosted By The Cloudbusting Podcast Team
Thursday, June 1, 2023 - 11:00 am EDT
Confident Cloud Migrations: How A Top 5 Bank Ensured Reliability With AWS And Gremlin
Thursday, June 1, 2023 - 1:00 pm EDT
Securing Your Software Supply Chain with JFrog and AWS
Tuesday, June 6, 2023 - 1:00 pm EDT

GET THE TOP STORIES OF THE WEEK

Sponsored Content

PlatformCon 2023: This Year’s Hottest Platform Engineering Event

May 30, 2023 | Karolina Junčytė

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Latest from DevOps.com

Checkmarx Brings Generative AI to SAST and IaC Security Tools
May 31, 2023 | Mike Vizard
Linux Foundation Europe to Host RISE Open Source Project
May 31, 2023 | Mike Vizard
I Guess This is Growing Up: Devs and CISA’s Secure-by-Design Guidelines
May 31, 2023 | Pieter Danhieux
Forget Change, Embrace Stability
May 31, 2023 | Don Macvittie
What Is a Cloud Operations Engineer?
May 30, 2023 | Gilad David Maayan

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

Most Read on DevOps.com

CDF Marries Emporous Repository to Ortelius Management Platform
May 26, 2023 | Mike Vizard
US DoJ Makes PyPI Give Up User Data ¦ Tape Storage: Not Dead
May 25, 2023 | Richi Jennings
Is Your Monitoring Strategy Scalable?
May 26, 2023 | Yoni Farin
The Metrics Disconnect Between Developers and IT Leaders
May 25, 2023 | Mike Vizard
Dell Looks to Expand Pool of Available DevOps Expertise
May 25, 2023 | Mike Vizard
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.