This is the fifth of a new five-part series of articles developed by TAG Cyber in conjunction with Sicura to offer insights and guidance into modern DevOps security using automated and integrated support.
As one would expect, the only reasonable way to actually implement the types of DevOps security controls described in this series of articles is to develop an action plan. Security and compliance requirements for DevOps are sufficiently complex that coordination between different groups, integration with existing pipelines, and planning for which types of data and reports are needed – must be part of this action plan.
Two Steps of the DevOps Security Action Plan
The approach recommended here starts with the baseline DevOps pipeline that exists locally – with the objective to support two integration steps. Step 1 of the plan involves the security team reviewing, selecting, and ultimately implementing the desired tools and platforms for protection support throughout the DevOps process. This is best done through careful source selection – and TAG Cyber analysts are always available to support such work.
Step 2 of the plan requires attention to the integration of the selected tools and platforms into the DevOps process. This include establishing connectivity to desired systems (e.g., SIEM, GRC) as well as managing the dependencies that emerge between DevOps tasks and newly embedded control systems. Connectivity and dependency should thus be included as requirements in Step 1, obviously.
Figure 5-1. Developing Local Requirements from the DevOps Security Pipeline
Establishing On-Going Communications
The challenge of assuring coordination between the software development teams and the security staff cannot be underestimated. Without strong cooperation and agreement between these individuals, the maintenance of a security baseline for DevOps will be unlikely. Gaps in coverage, for example, often occur when roles and responsibilities for developers and security staff are unclear.
As a result, a key aspect of any action plan to implement a DevOps security solution – and the practical use of the Sicura platform is included in this regard – is that an effective program of communications and sharing is advised during all phases of the planning, platform selection, and on-going implementation phases of the DevOps security lifecycle. It matters less who manages this aspect of the pipeline, and more that it just be included in the process.
For this reason, workflow support should be considered during source selection of the desired DevOps security tool. Integration with automated support, ticketing, and other IT service management components is a good idea – and security engineers are advised to discuss this functional requirement with vendors being considered. The end result, as suggested above, is to ensure coordination, cooperation, and communication.
By Edward Amoroso, TAG Cyber CEO
About TAG Cyber
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner perspective.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein.
Interested in learning how can Sicura can make your environment more secure and your DevOps team more efficient? Get in touch.