Datadog and Tenable have teamed up to enable organizations to adopt best DevSecOps processes.
Tenable CTO Renaud Deraison said his company is making the cybersecurity data it gathers via its Nessus vulnerability scanning software available to the monitoring and analytics service provided by Datadog. The goal is to make it easier for DevOps teams to discover and address cybersecurity issues before an application is deployed in a production environment, he said.
Tenable has more than 30,000 customers, according to the company. Obviously, not all of them have embraced DevOps. However, unless DevOps teams can find a way to incorporate cybersecurity data, it won’t be practical for organizations to define a set of best DevSecOps practices. Even with that data available, Deraison said he expects it may be as long as five years before DevSecOps becomes broadly adopted. Many organizations are going to find a way to make cybersecurity teams part of the application development process. The challenge, of course, is finding a way to achieve that goal without unduly slowing down the application development process. In fact, Deraison said that despite all the hype surrounding DevSecOps at the moment, there still isn’t enough focus on actual workflows.
Less clear is whether security will become a distinct functional test within a DevOps process or simply be incorporated into an existing quality assurance process. Deraison noted that cybersecurity and quality assurance are really two sides of the same coin.
In the meantime, Tenable doesn’t have any plans to integrate with any other monitoring tool. The company chose to ally with Datadog because it makes available a set of application programming interfaces (APIs) that are well-defined, he said.
DevOps teams going forward should expect to see a raft of integrations between providers of cybersecurity tools and various monitoring platforms. That data needs to be made available both when an application is being developed as well as after it has been deployed in a production environment to help developers prioritize bug fixes. Not all vulnerabilities are equal in severity, so it becomes important for DevOps teams to understand which are critical flaws that need to be addressed immediately versus something that can be addressed later in the application development cycle.
Naturally, the biggest challenge most organizations will face as they move to embrace DevSecOps is melding two very distinct cultures. In some cases, it may prove easier to teach developers the fundamentals of cybersecurity than it will be to teach cybersecurity how to participate in, for example, a sprint. There may not even be enough cybersecurity professionals available to participate in the application development process, given the current chronic shortage of staff. There are already millions of unfilled cybersecurity jobs.
Precisely what role artificial intelligence (AI) might play in accelerating adoption of DevSecOps has yet to be determined. However, given the chronic shortage of cybersecurity expertise, it’s apparent more organizations are going to have to rely on AI frameworks embedded in monitoring platforms to analyze massive amounts of data in a way that surfaces actionable insights before applications can truly become more secure.
— Mike Vizard