Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog What is DevSecOps? – Security in an Agile World

 

 

 

Information security is an evolving discipline and one which needs to stay not just one step ahead of the bad guys, but also needs to take account of the way business and technology is changing. In business the name of the game is to be “agile” and to be able to adapt and disrupt both old and new industries.

It’s all about DevOps now

In the technology world the firm growth of cloud computing and new ways of creating and deploying applications quickly means that security needs to keep up to be successful. The use of traditional frameworks such as waterfall development and ITIL has given way to new methods of working often labelled as “DevOps”. Formed from a combination of development and operations the principle of DevOps is to create code quickly, deploy it immediately and get feedback from users as you go along.

Terms such as CI/CD (Continuous Integration/Continuous Delivery) and its more extreme version Continuous Deployment are relatively recent additions to the software development vocabulary. These ideas mean that the delay between code being written and its deployment into the live environment can be almost non-existent.

Enter DevSecOps…

The breakneck speed of this method obviously means that ensuring new apps are secure can be somewhat of a challenge. The information security industry has reacted to this need with the creation of its own new way of working usually called “DevSecOps”. This attempts to deliver the benefits of fast deployment whilst ensuring that basic information security precautions and controls are not bypassed or forgotten.

Delivering DevSecOps is recognised to be a difficult but necessary task which involves thinking security from the very beginning of a project and ensuring the people involved in it have the right level of awareness. Delegation of security responsibilities into the development teams is key and many organisations establish roles with names such as “Security Champion” and “Security Advocate” to try to achieve this.

Where the deployment of code is automated, it is important to ensure that the relevant security checks and testing are also automated so that they don’t delay the deployment and reduce the perceived agility of the development process itself. Just as agile developers create “use cases”, a corresponding set of “mis-use cases” also needs to be considered, along with input from frameworks, such as the OWASP Application Security Verification Standard.

Infrastructure as Code

But it’s not just software applications that move fast in today’s world. The area of infrastructure has also been affected where the ability to virtualize complete environments means that in many cases the infrastructure itself may be treated as code. In a situation where a server may be created in seconds it’s just as important as ever to ensure that the correct standards are established for security.

There’s a lot at stake

In the current Silicon Valley-inspired rush to “fail fast, fail often” it is vital that the security of the resulting systems is not compromised, particularly as a large proportion of the general public will use these applications without a second thought, often entrusting them with significant amounts of personal data. DevSecOps is developing into the accepted way to address the issues raised by the pace of change in today’s interconnected world. Currently it consists of a loosely defined set of techniques and tools, but it is likely this will become better defined as time goes by.

CertiKit is working on incorporating aspects of DevSecOps into our toolkits and it is likely that this will be a growth area in content in the future.  As always, we will be keeping an eye on how this develops, as we continually update our products and knowledge.

More ISO Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO standard of your choice, go to our guidance pages where you can find more specific information about each standard and more downloadable resources.

More ISO Guidance

We’ve helped more than 4000 businesses with their compliance

Testimonials

The toolkit is well laid out, clearly written and easy to adapt. I like the fact that it is compliant to the standard as a start point. This is difficult to achieve considering the diversity of organisations it is covering.

SSTL
UK

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy