This introductory article opens a new series developed by TAG Cyber in conjunction with Sicura to offer insights and guidance into modern DevOps security using automated and integrated support.
As software development and IT management has shifted from traditional models toward modern DevOps, the potential for security vulnerabilities has increased. That is, where the familiar waterfall phases indicative of traditional software development could be easily augmented with protection tasks such as scanning or code review, modern DevOps is more challenging and requires a different approach, one that typically relies on automation.
An important factor is the high velocity of DevOps, which makes it difficult for software teams to pause and deliberate on possible security weaknesses. Instead, threat protection must be delivered consistent with rapid and agile delivery of product features. Software development teams cannot and will not slow down their processes for the security teams. Everything must operate at DevOps speed, presumably using automated support.
One positive outcome of this shift to automation is that development teams will experience reduced dependence on human processes. The primary exploitable threats to DevOps include misconfigurations in software and systems, vulnerabilities in code orchestration tools, and malicious code insertion. As suggested above, these security risks are best addressed using an automated security platform that can integrate with software process tasks.
In this series of reports from the TAG Cyber analysts, beginning with this introductory article, we discuss recent advances in automating the protection of software artifacts from malicious attack during all phases of the DevOps process. Such security focus is particularly important during the pre-delivery stages of the CI/CD pipeline and should be included in any emerging functional requirements for modern software development teams.
Security start-up Sicura offers a commercial platform that automates DevOps protections in practical software lifecycle settings. We use the Sicura platform as a means for highlighting how our proposed Dev Ops security requirements might be addressed. While this results in a buyer’s guide of sorts to the Sicura platform, the discussion here should extrapolate well to other commercial or open-source options.
TAG Cyber’s John Masserini begins the series by focusing on DevOps threats and how they have evolved. TAG Cyber’s Edward Amoroso continues with an explanation of the role of automation in DevOps security, guidance on requirements for DevSecOps, an overview of the Sicura platform, and an action plan for developers and security engineers. The goal of the series is to equip modern DevOps teams with a good understanding of automated security controls.
By Edward Amoroso, TAG Cyber CEO
About TAG Cyber
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner perspective.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein.
Next week we'll be back with Part 1 of the TAG Cyber Sicura series, on Understanding DevOps Threats by TAG Cyber Senior Analyst John Masserini. Interested in learning how can Sicura can make your environment more secure and your DevOps team more efficient? Get in touch.
Ready to maintain secure and compliant infrastructure focused on cost, automation, and consistency?