Accelerating the DevOps process during Covid-19: How CFOs and CISOs can work together – Cloud Tech

admin on June 8, 2020 Leave a Comment

The Covid-19 pandemic has brought about a new normal. Remote working and videoconferencing has never been more popular; and as a direct consequence, the cloud has never been more popular either.

Yet a note of caution needs to be applied to those looking at full-speed migration. Jeremy Snyder of DivvyCloud told this publicationin Aprilthat people are really good at creating stuff, but not at cleaning up after themselves, whilewriting last monthMargaret Rogers, VP at Pariveda Solutions, warned that knowing where to go rarely makes the journey easier.

Security, more than ever in these uncertain times, is of paramount importance and Synopsys, an application security provider based in California, knows this better than anyone. Utsav Sanghani, seniorproductmanager at Synopsys (left), explains that while many customers are looking to accelerate their transformation, be theyin financial service, or independent software vendors (ISVs), one process is key.

All of these companies are in this transition, and typically a transition can take multiple years, he tells CloudTech. With Covid-19, specifically the companies going through this transition, those that have moved to a more agile, no touch DevOpsprocesshave been able to embrace this new normal, but some of these organisations with legacypipelines and no DevOps instrumentation process put in place will struggle.

Instead of initially being an 18 to 24 month effort, youve started to see organisations try and fast trackit now targeting completion in six to eight months, and rush to procure the right tooling and process change,alongside a bigcultural change that needs to go into make this successful, Sanghani adds.

Yet if your house is built on sand, the fall will still be great regardless of the other changes you make to your organisation. Obviously a lot of changes need to happen starting with the developers, the build processes, and going to continuous integration, explains Sanghani. Those mainframe systems were never built with continuous integration in mind, and so trying to retrofit that to a CI system is a challenge.

Like many companies in this space right now, Synopsys is seeing customer uptick and engagement across its portfolio, whether it is application security associated with cloud migration, or security in DevOps environments. This process, as with others, has been neatly categorised into a buzzword, DevSecOps. But as Sanghani explains, Synopsys goal is to move AppSec into the mainstream beyondthe buzzwords. DevSecOps is an ideology, while DevOps is truly a cultural change.

When we talk about embedding security, the goal is you ideally need to embed it early on in the process, he says. DevOps started off with providing a smoother transition between the developer component and the operational component and with security being so paramount at different stages, your risk varies from stage to stage.

If you are on the ops side, and you are running a scan and you realise there is an active vulnerability on the system deployed and running in production, youve got a problem, Sanghani adds. If you find something in the dev phase where its not deployed, you still have a good chance of handling it.

As a buzzword, DevOps has been very exciting for a lot of developers and the different members and maybe theres a more democratic process with different people engaging in it. Security can be a part of that. Our main goal is helping security admins in those organisations work with the developer, work with the DevOps engineer, the build engineer, and make security a standard part of the process, even if they move to a closer knit DevOps process.

So how can such a process be aligned and, more importantly, how can all stakeholders get on board? Focusing minds on the damage which can be done helps, while blue chip brands continue to suffer data breaches MarriottandCapital Oneto name two in the past 12months.

CFOs and CISOs can work very closely with each other, he says. A breach can be really damaging financially, as well as from a reputational standpoint. Organisations want to avoid that thats why they work together to institute changes that will ensure their risk profile is lower.

At the ground level, its more of an efficiency thing, he adds. Build and operations engineersget measured on how fast they are able to churn out code,pass it along the pipeline, and make it possible to get a release out the door. Its a different perspectivefor the CXO who is looking at it from the cost standpoint,but they all agree on DevOps primarily forthese reasons,because it helps them achieve those benefits.

Going forward, Synopsys notes the impact Covid-19 is having, both on customers roadmaps and how the company can help them. The companys customers range from startups looking to minimise their application security risk, to larger organisations, from retail to financial services, aiming for bestpractices.

Sanghani explains that customers rely on more traditional DevOps and collaboration tools, such as Atlassians JIRA and ServiceNow, and so ramping that up and getting more automation in is the priority. Say you found a security defect, an issue in [your] code base how will [you] get this in front of the developer? he says. How do we automate that process and scale up because were not working in the same office anymore?

You can have integrations with JIRA, where you push the issue to JIRA and it has the workflow already set up, and it automatically assigns the issue to the developer. The developer opens up the ticket [and knows they] have to fix this so facilitating that type of automation is something that Synopsys has started to fast track and help customers during this new normal of Covid-19.

Alongside this is a move to produce a greater quality of results over quantity. Were trying to reduce the number of results we give you, but we can give you thecontext so it will tell you something was found by this technology and that technology and it might be the same issue,so you have to solve it only once, he adds.

Thats the part which is missing in the industry today. We give you the individual tool data but how do you bring it all together so a developer understands why its a problem?Correlation, anda lot of automation-related stuff around detection and remediationis a major part of our plan. he adds.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend theCyber Security & Cloud Expo World Serieswith upcoming events in Silicon Valley, London and Amsterdam to learn more.

View post:
Accelerating the DevOps process during Covid-19: How CFOs and CISOs can work together - Cloud Tech

Related Posts
Posted in Cloud Computing

Comments are closed.