Don’t Neglect Security in Your DevOps Process
Enterprises must protect their digital assets, especially interconnected systems, applications and data repositories. Strategies include identity and access management, a framework for controlling access to applications in which individuals and devices only receive access to the appropriate data and applications.
“Organizations are ultimately responsible for their own software delivery and their own code,” says Paul Nashawaty, practice leader and lead principal analyst at the Futurum Group.
He adds that end users expect organizations to protect this code within reason. Businesses often release code without proper testing. Therefore, platform engineering teams should work with development teams to ensure that code is protected.
Strategies to protect code include a software bill of materials, a list of ingredients in a software package being delivered. A software bill of materials “gives you a blueprint or a template for what should be in there,” Nashawaty explains. “And if there’s more in there, that’s a red flag, so it allows for actionable insights for the platform engineering team to take immediate action.”
Nashawaty compares it to a baker adding sardines into a cake: It’s not in the recipe. “If platform engineering teams notice additional components that should not have been included, they can flag it to security teams,” he says.
In May 2021, the White House issued an executive order on improving the nation’s cybersecurity. It outlines how to protect code before it is shipped to the public.
“It requires the checks and balances from the organization to ensure that it’s delivering safe code and safe applications,” Nashawaty says. “That’s where platform engineering comes in.”
READ MORE: See how businesses are keeping their endpoints secure.
Build Cyber Resilience with Deliberation and Security Automation
Testing code slowly is essential, Nashawaty says.
“You have to slow down, test code, ensure it’s proper, and then you can go faster,” Nashawaty says. “Otherwise, your reputation is at risk, you’re compromising your clients, you’re jeopardizing your business, and ultimately, it could end in very poor results for your organization.”
He advises companies to use “trusted code from trusted repositories” as part of a zero-trust strategy, in which IT leaders continuously verify users accessing a network.
To improve an organization’s security posture over time and maintain cyber resilience, organizations should also consider automating security testing, vulnerability scanning and compliance checks.
“Security automation is indeed critical for scale,” Montenegro says. Security should be a key component of the automation workflow and a routine part of the build process, he suggests.
“This is much better than forcing developers to manually call security tests, for example.”
Click the banner below to learn why cyber resilience improves threat defenses.