Coalfire Cloud Advisory Board Plots Smartest Path to DevSecOps transformation 2021 Report Reveals Best Practices for Secure SDLC
October 2021 by Coalfire
Cybersecurity industry pioneers recently came together to define best-practice paths to secure cloud application development and management in Coalfire’s latest Securealities research report, Smartest Path to DevSecOps Transformation.
Coalfire’s prestigious Cloud Advisory Board (CAB), consisting of some of the world’s most experienced C-level cyber leaders, along with cloud security thought leaders from Coalfire, shine a light on how competition, COVID-19, and the rapid adoption of cloud technologies are driving organizations to build software and bring products to market with novel technologies and new management styles.
Standing on the shoulders of the agile development process, the report chronicles the emerging methodology of development security operations – DevSecOps. The nature of continuous integration and development – CI/CD – has forced the final “shift left” in bringing coders and security pros working together from the very start on every project.
“In the cloud, code is embedded every step of the way from the data center to the edge of networks, across expanding attack surfaces,” said Mark Carney, chief operating officer, Coalfire. “Code is more vulnerable now, and the development process is endlessly exposed to new threats from inception to the end of every product lifecycle. In the new report, Smartest Path to DevSecOps Transformation, we make the case for embracing DevSecOps and Application Security Orchestration and Correlation (ASOC) as the new strategic development and deployment imperatives, mission-critical to business continuity, operational resilience, and privacy protection.”
The report highlights key opportunities to drive security effectiveness for leaders in application security development and management by:
Establishing a secure development process and culture
· Embedding security into the software development life cycle (SDLC) from the outset through several techniques, including threat modeling before writing code, using application security testing gates, and implementing secure coding standards
· Expanding automation use cases, highlighting 20+ automation opportunities across the DevSecOps lifecycle (from real time alerting when security and functional inspections fail to collecting governance artifacts and automating traceability)
· Enlisting AppSec champions for support and scalability
· Building a security culture from the ground up, relying on the cultural triad (partnership, cooperation, and collaboration)
Rethinking governance, reporting, and go to market
· Breaking the model of how CISOs report to the board, showing how security protects each product along its unique journey to the customer and leveraging executive dashboards with continuous metrics
· Enhancing security governance by leveraging qualitative metrics in addition to the quantitative metrics that many organizations exclusively focus on today
· Insisting on centralized accountability for security, starting at the board level
· Highlighting the most effective tactics to tell your security story, such as re-framing “security first” messaging to “customer first” messaging
Bad actors are breaking into systems quickly and avoiding detection so frequently that it’s to the point that there’s no such thing as a product or application without a single point of failure. Despite this, “customers are coming to expect flawless security assurance and execution from their vendors and suppliers,” said John Dickson, vice president, security solution architecture, who provides the introduction to the report.
“Our report paints a best-practice picture of where the puck is going on the road to digital transformation, and how securing the CI/CD pipeline has become core to the enterprise mission.”
The comprehensive report spans:
Mark Weatherford, CSO, AlertEnterprise and CSO, National Cybersecurity Center and Board advisor to public and private organizations
The Secure Product Lifecycle
Jerry Bell, VP and CISO, IBM Public Cloud
Adrian Mayers, Dr. B.A., VP, CISO, Premera Blue Cross
Matt Sharp, CISO, Logicworks
Nils Puhlmann, CRSO, MoonPay and Co-founder, Cloud Security Alliance
Tony Spinelli, CIO, Urban One, Inc. and Board Director, Peapack Bank, Blue Cross Blue Shield
Security as a Differentiator
Gail Coury, SVP, CISO, F5
Security requires constant innovation in line with the new maxim that IT, development, and security teams must operate together with a “defensible” mentality. “There is no such thing as a completely secure system,” said Tony Spinelli, CIO, Urban One, Inc., “If you’re not innovating within your security program you’re standing still. If you’re standing still, you’re falling behind.”