Eight tips are provided for deploying DevSecOps:
1. Embrace automation and prepare security teams for automated integration with DevOps initiatives.
2. Enable security testing tools and processes earlier in the development process.
3. Prioritize automated tools that can quickly triage critical issues to reduce false positives.
4. Start identifying open source components and vulnerabilities in development as a high priority.
Apidays New York 2024 - The value of a flexible API Management solution for O...
8 Tips for Deploying DevSecOps
1. 8 Tips for8 Tips for
DeployingDeploying
DevSecOpsDevSecOps
2. #1 Embrace
automation
■ Prepare security and risk
management teams for
automated integration with
DevOps initiatives, and identify
the primary skills and technology
gaps.
AUTOMATION IN 2020
IS KEY
3. ■ “Shift left” and make security
testing tools and processes
available earlier in the
development process, ideally as
the developers are writing code.
PROACTIVE DEVOPS
#2 Enable Security
Tools Sooner
4. #3 Auto-
triage
critical
issues first
■ As zero vulnerability
applications aren’t possible,
favor automated tools with
fast turnaround times with a
focus on reducing false
positives and allowing
developers to concentrate on
the most critical
vulnerabilities first.
PRIORITIZE
ALERTS
5. #4 Jump start with
3rd party leaks (OSS
& SDKs)
■ Start identifying OSS components and
vulnerabilities in development as a high-priority
project, as the biggest risk comes from known
vulnerabilities and misconfigurations.
JUMPSTART DEVSECOPS
6. #5 APIs and CI/CD
integrations is a MUST
■ Invest in “out of the box” integration with common
development toolchain vendors and also support full API
enablement of their offerings for automation.
CONNECT YOUR TOOLS
7. #6 DevOps
orchestration for
policy enforcement
■ Require security controls to understand and be
capable of applying security policies in container and
Kubernetes-based development and deployment
environments.
AUTOMATED
WORKFLOWS
8. #7 Public cloud scripting
drives auto-remediation
■ Experiment with DevSecOps workflows using public cloud
infrastructure and programmatic ways that security policies can
be integrated into templates, blueprints and recipes to avoid
manual security policy configuration.
CUT DOWN ON MANUAL
TASKS
9. #8 Continuously auto-scan in
pre-production to save your
apps in production
■ Favor offerings that can link scanning in
development (including containers) to correct
configuration and protection at runtime. manual
security policy configuration.
BE EFFICIENT