This post is from the XebiaLabs blog and has not been updated since the original publish date.
From Water-Scrum-Fall to DevSecOps
As organizations abandon the waterfall method of software development for Agile, many are stuck in what Hasan Yasar terms Water-Scrum-Fall. That is, the organization has not effectively embraced Agile and DevOps principles and remains in silos with no links to business goals.Enter DevOps, an extension of Agile thinking. While Agile embraces constant change and embeds the customer into the process, DevOps embraces constant testing and delivery and embeds operations into the team to internalize expertise on deployment and maintenance. This is how Hasan started his talk, Multi Security Checkpoints on DevOps Platform, at last year’s All Day DevOps conference. In his talk, Hasan lays out a plan to get organizations to DevSecOps. Really, DevOps is a risk mitigation strategy, built on situational awareness, automation, and repetition. But, security is where a lot of DevOps implementations fall down. The goals for each organization should be:
- Protecting private user data
- Restricting access to data/systems
- Protecting company data/intellectual property
- Standards compliance
- Safeguarding disposition/transition
- Supplier capability — Does the supplier follows practices that reduce supply chain risks?
- Product security — Is the delivered or updated product acceptably secure?
- Product distribution — Does the method of transmitting the product to the purchaser guard against tampering?
- Operational product control — Is the product used in a secure manner?
ON-DEMAND WEBINARCrossing the DevOps & Infosec DivideFeaturing Gene Kim, Derek Weeks & Tim BuntelEven though the DevSecOps movement is in its infancy, there are proven patterns that work and use cases to learn from.To reduce your supply chain risk, Hasan recommends:
- Ensure supplier security commitment
- Evaluate a product’s threat resistance
- Create a centralized private repository of vetted 3rd party components for all developers
- Establish good product distribution practices
- Minimize variation of components to make things easier