DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • DevOps Onramp
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Features » Security, DevOps and the shift to a software supply chain

supply chain

Security, DevOps and the shift to a software supply chain

By: Ericka Chickowski on May 1, 2015 7 Comments

Last week at the DevOps Connect event held in conjunction with RSA Conference, the security and continuous delivery worlds united to deliver an overarching message that security teams that can embed themselves in DevOps patterns can not only secure IT at speed, but they can actually contribute to a more reliable, repeatable and higher quality release cycle.

Recent Posts By Ericka Chickowski
  • 5 Ways DevSecOps Can Manage Software Supply Chains
  • 4 Traits of High-Performance Digital Leaders
  • Are Self-Service Machine Learning Models the Future of AI Integration?
More from Ericka Chickowski
Related Posts
  • Security, DevOps and the shift to a software supply chain
  • The Risks of Shadow Code
  • Scribe Security Unveils Pair of Tools to Secure Software Supply Chains
    Related Categories
  • Features
    Related Topics
  • rugged devops
  • Software Supply Chain
Show more
Show less

“DevOps extended the value of Agile so that we went from just continuous integration to continuous integration and continuous deployment,” says Josh Corman, CTO of Sonatype. “If the three measures of any software manufacturing lifecycle is speed, efficiency and quality/risk,  then I think this Rugged DevOps era ideally allows you to go even faster, be even more efficient because of fewer break fixes and faster mean time to repair and better quality and lower risk.”

CloudNativeDay 2022

To read more about security and DevOps, check out our eBook on Rugged DevOps. 

Corman and Gene Kim, author of The Phoenix Project, developed on this idea in their talk, which pushed the thought that the ultimate Zen state of software delivery to strive for is a software supply chain.

“The way we can get more safety and security into digital infrastructure, is to move to the ultimate evolved posture of software development as a supply chain,” Corman explains. “This makes you even faster than DevOps–even more efficient and with higher quality and risk mitigation without tradeoffs.”

The idea of the software supply chain further builds on the lean manufacturing principles of W. Edwards Deming, who many in the Agile and DevOps worlds see as the spiritual grandfather of these movements.

“If you take Deming to his logical consequence, we’re going to start paying attention to the quality of our suppliers, the quality of our supply and the traceability and visibility of which parts went were, such that when there’s another Heartbleed, we can do a prompt and Agile response,” he says, explaining that that avoiding known bad parts, such as a bad version of struts in car manufacturing or a faulty SSL component like the one that caused Heartbleed, “will make you keep top speed, halve your blowouts, faster meantime repair, better traceability and make the auditors go away with less pain”

Security teams have traditionally been known as roadblocks rather than speed enhancers to development processes. But looking at it from the perspective of creating an effective software security supply chain, security actually plays a role in further speeding up production if it is helping organizations depend on higher quality components of production code and the code running infrastructure.

“If we get better at our component selection and our traceability of what we’re using where, we can reduce the number of break-fixes or reduce the number of unplanned unscheduled work,” Corman explains

He emphasizes that security debt tracks roughly with technical debt and CISOs should be having conversations with DevOps teams to that end. In the end security work pays down principle on technical debt, making it possible to spend more time writing code and less time on rework

“I’d love to give us a more defensible opportunity which embraces what devops already cares about and doesn’t articulate how we can make them safer, instead articulate how we can make it faster and more efficient,” he says.

As security pros start to do so, they might be surprised at their reception by the developers and operations folks. As Kim explained in their talk, in the end everyone does want the kind of quality that a cooperative security team can bring to the DevOps equation.

“When security imposes itself on day-to-day DevOps processes, dev and ops say ‘thank you,'” he says.

Filed Under: Features Tagged With: rugged devops, Software Supply Chain

Sponsored Content
Featured eBook
The State of the CI/CD/ARA Market: Convergence

The State of the CI/CD/ARA Market: Convergence

The entire CI/CD/ARA market has been in flux almost since its inception. No sooner did we find a solution to a given problem than a better idea came along. The level of change has been intensified by increasing use, which has driven changes to underlying tools. Changes in infrastructure, such ... Read More
« Webinar: Scaling Web Applications with NGINX Load Balancing and Caching
Webinar: From DevOps to Dev-Test-Ops – Automate Your End-To-End Software Pipeline »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

VSM, an Ideal Framework for Continuous Security Dashboards
Wednesday, August 10, 2022 - 11:00 am EDT
LIVE WORKSHOP - Accelerate Software Delivery With Value Stream Mapping
Wednesday, August 10, 2022 - 1:00 pm EDT
10 steps to continuous performance testing in DevOps
Thursday, August 11, 2022 - 3:00 pm EDT

Latest from DevOps.com

GitHub Brings 2FA to JavaScript Package Manager
August 9, 2022 | Mike Vizard
CREST Defines Quality Verification Standard for AppSec Testing
August 9, 2022 | Mike Vizard
IBM Unveils Simulation Tool for Attacking SCM Platforms
August 9, 2022 | Mike Vizard
Tech Workers Struggle With Hybrid IT Complexity
August 9, 2022 | Brandon Shopp
Open Standards Are Key For Realizing Observability
August 9, 2022 | Bill Doerrfeld

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

The 101 of Continuous Software Delivery
New call-to-action

Most Read on DevOps.com

Recession! DevOps Hiring Freeze | Data Centers Suck (Power) ...
August 4, 2022 | Richi Jennings
Palo Alto Networks Extends Checkov Tool for Securing Infrast...
August 3, 2022 | Mike Vizard
Developer-led Landscape & 2022 Outlook
August 3, 2022 | Alan Shimel
Orgs Struggle to Get App Modernization Right
August 4, 2022 | Mike Vizard
GitHub Adds Tools to Simplify Management of Software Develop...
August 4, 2022 | Mike Vizard

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.