DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. The SecOps Playbook: What I’ve Learned About Integrating Security Into DevOps

The SecOps Playbook: What I’ve Learned About Integrating Security Into DevOps

Security is difficult and integrating it into your DevOps workflow can be a challenge. Read on to find out how why this is so and how to overcome these obstacles.

Pete Cheslock user avatar by
Pete Cheslock
·
Oct. 22, 16 · Opinion
Like (2)
Save
Tweet
Share
4.58K Views

Join the DZone community and get the full member experience.

Join For Free

The Threat Stack SecOps Playbook is now available!

Why We Created a SecOps Playbook

I have experienced the transition to SecOps up close and personal. I’ve led teams in figuring out how to get security practitioners and DevOps teams in sync and in harmony. Along the way, I’ve learned a number of valuable lessons that can be extended to any team that is thinking about bringing security deeper into the DevOps process.

Why SecOps?

If you’ve been reading our blog for a while, you know that we believe in the value of bringing SecOps (aka DevSecOps, SecDevOps, etc.) into your organization to streamline the security process and make sure that every piece of code that makes it into production is as safe and secure as possible.

In fact, we believe that SecOps will save the cloud (and is currently doing so). Merging your development and operations team with your security team is the best way — the only way — to ensure that best practices are built into code before vulnerabilities become an issue.

With any shift, there are challenges to implementing SecOps. However, based on my experience, I can tell you that these challenges can be surmounted with a little strategy and an awesome tool or two (including Threat Stack).

Here are the three objections to moving toward SecOps that I hear most frequently, along with my counterpoints. And, you can also check out a more complete SecOps Playbook, full of practical tips to put you on a smooth path to SecOps success.

1. Objection: Budget

What it sounds like: we don’t have enough resources and can’t afford to get what we need.

Thanks to the large number of open-source tools that are available today, it’s possible to pull together a suite of tools that can make SecOps a reality regardless of your budget. You just need a roadmap and organizational buy-in. Buy-in requires knowing who needs to be at the table when and making sure that everyone understands why SecOps will benefit the whole organization. (We explain how to make this argument in more detail in the playbook.)

2. Objection: Talent

What it sounds like: but we don’t have enough security people as it is!

There’s no denying that we are in the midst of a major security talent crunch. There are not enough security experts on the market and it’s hard to find candidates who are skilled in the latest tools and technologies. Even when teams manage to hire good security people, the ones that can code often get stolen by development teams.

The good news is that you can make security happen whether you have a full security operations center (SOC) or no infosec employees at all. In a modern organization, security should not just be the responsibility of analysts or even SecOps teams; it should be a team-wide, top-to-bottom effort. Keep in mind, the better your tools and processes, the fewer experts you’ll need.

3. Objection: Tools

What it sounds like: there aren’t any tools on the market that work for SecOps teams.

People often say they don’t have the tools that they need to make SecOps happen. While that was a valid complaint historically, these days it doesn’t stand up as well. Between free and open-source options and comprehensive cloud security solutions like Threat Stack, robust tools are available to meet nearly every SecOps need. Moreover, many of the tools currently being used by DevOps can also be used to ensure security; it’s simply a matter of picking the right ones and training your team in how to use them to their highest potential.

The Reality: Security Is People

Once you have an adequate budget, trained talent, and appropriate tools, getting SecOps off the ground requires a shift in your organization’s culture.

DevOps itself requires a pretty big cultural shift. If you’ve been on a team that has made the transition or transferred into an organization that is DevOps-oriented from one that was not, you’ve probably seen the differences and experienced the growing pains firsthand.

SecOps requires a cultural shift all its own. Once an organization has shifted its mindset to focus on integrated tools and workflows for development and operations, it’s time to pull security in. With the right approach and toolset, it can be easier than you think.

Get the Roadmap

To help you address the challenges of budget, talent, tools, and culture, the Threat Stack experts have put together a brand-new playbook all about the practical aspects of implementing SecOps. In it, we cover:

  • The history of DevOps and SecOps.
  • Who should implement SecOps and why.
  • The six practical steps you need to take to get going with SecOps.
  • The KPIs and success metrics you should care about.

If your organization is looking to bring security into the DevOps equation to release secure code without sacrificing speed, we believe this playbook will help you reach that goal.

security DevOps

Published at DZone with permission of Pete Cheslock. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Unlocking the Power of Polymorphism in JavaScript: A Deep Dive
  • Last Chance To Take the DZone 2023 DevOps Survey and Win $250! [Closes on 1/25 at 8 AM]
  • A Real-Time Supply Chain Control Tower Powered by Kafka
  • Java Development Trends 2023

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: