{"id":111080,"date":"2020-05-18T06:00:18","date_gmt":"2020-05-18T13:00:18","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=111080"},"modified":"2020-05-20T13:03:52","modified_gmt":"2020-05-20T20:03:52","slug":"cloud-devops-needs-to-change-security","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/05\/cloud-devops-needs-to-change-security\/","title":{"rendered":"Why DevOps Needs to Change Security"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Where adopted, the DevOps methodology has made big changes in how applications are developed. Adding security into this methodology, however, has not been at the forefront of the developer thought process. This can cause many gaps in deployed applications. DevOps needs to change security. Teams can easily gain added visibility with the introduction of security during this build time while adding a collaboration point.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But what are the required changes, and what will be the impacts to security architecture and operations? What needs to stay the same and what needs to change?\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Security at Speed<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Even with manual approval points built into the workflow, traditional security operating models are going to present a bottleneck. To be effective, security teams need to embrace and integrate with the DevOps model to deliver testing and controls as part of the pipeline.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This will require the adoption of some new tools, the shifting of operational practices \u2013 and some new skills. In a DevOps-driven business, it\u2019s the only way to fulfill a team's mandate to protect the enterprise.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Shift Left<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">\u201c<\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2019\/07\/4-practical-steps-shift-left-security\/\"><span style=\"font-weight: 400;\">Shifting security left<\/span><\/a><span style=\"font-weight: 400;\">\u201d speaks to both definition and explanation. At the core, it means to insert security considerations earlier in the software delivery lifecycle. This makes sense because some security weaknesses are easier to detect \u2013 and much cheaper to remediate \u2013 during the construction phase of application development than after the software has been deployed.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">What this can\u2019t mean, however, is the wholesale transfer of responsibility for application and runtime security to a development team. Security and development teams need to collaborate to identify threats and controls earlier and to insert security testing into the software delivery workflow.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The good news is that, although the specific tools a dev team might need to automate security testing might not be in place, they are available.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Threat Analysis<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Finally, developers are taking more responsibility for the runtime stack where their code will execute by using things like infrastructure-as-code to define an entire running application environment, or with Dockerfiles to define their application containers. In turn, security teams need to understand the possible threats within these evolving development environments and provide <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/03\/cloud-devops-plugins\/\"><span style=\"font-weight: 400;\">tools that development teams can integrate<\/span><\/a><span style=\"font-weight: 400;\"> at the earliest stages of application coding. This will allow both teams to recognize insecure configurations so they can be fixed even before the first code commit.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span style=\"font-weight: 400;\">Embracing DevSecOps<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">As DevOps-inspired software delivery becomes more and more prevalent, the other parts of IT \u2013 security in particular \u2013 will need to adapt to faster development cycles and new attack vectors within a highly automated software delivery pipeline. This in addition to implementing security best practices and keeping up with the constantly changing threats and compromise techniques. It\u2019s safe to say the only risk that\u2019s shrinking is the risk of having nothing to do.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To learn more about bridging the divide between security and DevOps teams, you can watch our <\/span><a href=\"https:\/\/www.crowdcast.io\/e\/containerolympics\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Cloud Native Live virtual summit on-demand<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">This post originally appeared on <\/span><\/i><a href=\"https:\/\/thenewstack.io\/why-devops-needs-to-change-security\/\" rel=\"nofollow,noopener\" ><i><span style=\"font-weight: 400;\">The New Stack<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">.<\/span><\/i><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DevOps has changed how apps are developed. It\u2019s time for DevOps to change security, too. <\/p>\n","protected":false},"author":663,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[7009,6901,7030,6890],"coauthors":[7098],"class_list":["post-111080","post","type-post","status-publish","format-standard","hentry","category-secure-the-cloud","tag-30-days-of-cloud","tag-cloud-native-security-platform","tag-devsecops","tag-prisma-cloud"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/111080","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=111080"}],"version-history":[{"count":2,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/111080\/revisions"}],"predecessor-version":[{"id":111082,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/111080\/revisions\/111082"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=111080"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=111080"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=111080"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=111080"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}