devsecops transformation · 2020-01-26 · back to a known good state if there’s a problem. 5...

DevSecOps TransformationThe New DNA of Agile Business

Why DevOps Is a Big DealBusinesses are under increasing pressure to adapt quickly to customers through multiple digital channels.

Firms with high-performing IT organizations are twice as likely

to beat profitability, market-share and productivity goals.3

Digital transformation and Agile or continuous development are key to customer satisfaction and long-term profitability.2

56% think they are not prepared for the change.1

87% of executives believe digital

transformation will disrupt their industries.

What Is the Problem for InfoSec?

How Security Teams Can Fix the Problem

DevOps produces apps and changes too quickly for InfoSec to keep up.

Most DevOps code is created for web applications. 40% of data breaches involve attacks on web applications.6

InfoSec must find a way to keep up.

InfoSec does AppSec testing at 83% of

organizations.4

Traditional analysis, reporting and remediation

can take longer than development.

Only 17% of InfoSec organizations can keep up with Agile or continuous

development.5

C O M P A R ETraditional Development

9-to-12-month AppDev cycleLarge release

Manual deployment

DevOpsOne-day cycle timeSmall, low-risk releasesAutomated deployment

High-performing (DevOps-enabled) Organizations

Deploy 200x more often

200xRecover from

deployment failures 24x faster

24xSpend 22% less on

unplanned work

22%Spend 29% more time

on new work

29%Fail one-third

as often

1/3

Seven DevSecOps Imperatives:

1 Embed automated tests and validation of controls into the deployment cycle.

2 Inventory and analyze reusable code to avoid reintroducing flaws.

3 Monitor code and results continuously in production.4 Create “triggered” responses that can roll controls

back to a known good state if there’s a problem.5 Evaluate AppSec tools for DevOps capabilities and

automation; replace them as needed.6 Align and coordinate with Dev, Sec and IT Ops teams,

and keep communication constant between them.7 Commit to a culture of process descriptions,

automation, continuous monitoring and remediation.

1 MIT Sloan Management Review 2016 Digital Business report; http://sloanreview.mit.edu/projects/aligning-for-digital-future/2 “Digital Transformation in the Age of the Customer,” Accenture;

www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Digital_2/Accenture-Digital-Transformation-In-The-Age-Of-The-Customer-Infographic.pdf3 “State of DevOps 2016,” DevOps Research and Assessment https://continuousdelivery.com/evidence-case-studies/#research4 SANS 2015 State of Application Security: Closing the Gap; www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-359425 “IT Speed: The Crisis and the Savior of the Enterprise,” A Forrester Consulting study commissioned by Chef, December 20136 2016 Verizon DBIR

Visit the SANS Analyst Reading Room. www.sans.org/reading-room/whitepapers/analyst

SPONSORED BY