DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Do You View Your AppSec Tools as an Inhibitor to Innovation or a Safety Measure?

As security continues to become integrated into DevOps and application development, it promises to help drive innovation.

Helen Beal user avatar by
Helen Beal
·
Mar. 28, 17 · Opinion
Like (3)
Save
Tweet
Share
2.93K Views

Join the DZone community and get the full member experience.

Join For Free

devops is all about making better software faster. it also requires making it more safely while compressing the time between ideation to realization. i hear it organizations tell me time and time again of their ambitions to be the innovation powerhouse for their business - so it’s great news that most of the survey respondents (more than 80% in fact) didn’t see their appsec tools as an inhibitor to innovation but rather a safety measure.

helen1-1.jpg

if you’ve read the phoenix project you’ll probably remember the portrayal of john, the ciso. he started the book as an outsider, on a completely different wavelength to other characters. but john was also pivotal to bill’s realization that he needed to amplify the feedback loops between it and the business and get much closer to his organization’s ‘why.’ security has often been a bit of an afterthought in the devops world for many organizations, but i hark you back to the “more safely” part of my first sentence.

i recently had a conversation with magnus hedemark on linkedin where he pointed out that devops breaks the iron triangle of cost, speed, and quality; traditionally there’s always been a trade off where you could only be great at two. for example, you could have speed and quality but only at a very high cost.

in addition to enabling all three attributes of the iron triangle, devops gives us a bonus 4th portion of delight: happy people. thus the “ beal-hedemark golden square of devops ” was born. devops allows us to deliver at low cost, at high speed, and with high quality along with this extra dose of happiness (have you heard of humanops or hugops ?).

devops-native appsec tools integrate early into your software development lifecycles allowing your software engineers to make informed choices about the composition of your applications. devops-native tools also help avoid costly future situations and support the golden square. shifting security left in this way:

  • saves us money and time down the line by mitigating risk (cost).
  • reduces the need for expensive and time-consuming penetration and vulnerability testing, avoiding any nasty surprises from security incidents and commercial licensing point of views (speed).
  • automates quality into your toolchain by integrating these tests into your ci/cd pipelines (quality).
  • empowers your developers by warning them of the risks as they add artifacts into their applications and giving them the opportunity to make an informed choice about what would be a better option (happiness).

building the right appsec tools seamlessly into the devops loop -- your continuous release cycle -- means your it delivery value stream operates faster, cheaper, and at a high quality. your software engineers are happy because they are producing high-quality code, your security teams are happy as they know their policies are being followed and they can see it. and most importantly, your customers are happy because they are getting what they need and everyone is safe.

devops-native appsec tools help drive innovation - they provide light a “ belt and braces ” touch (if that’s not too oxymoronic) that allows for the evolution of a safety culture.

want to learn more about devsecops?

this blog is one of seven in a series providing expert commentary and analysis on the results from sonatype’s 2017 devsecops community survey. for access to all of the blogs in this series and the survey report, please visit: www.sonatype.com/2017survey .

Software development Measure (physics)

Published at DZone with permission of Helen Beal, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How To Use Terraform to Provision an AWS EC2 Instance
  • Debugging Threads and Asynchronous Code
  • Why Does DevOps Recommend Shift-Left Testing Principles?
  • Spring Boot Docker Best Practices

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: