Welcome!

Blog Feed Post

From Water-Scrum-Fall to DevSecOps

As organizations abandon the waterfall method of software development for Agile, many are stuck in what Hasan Yasar terms Water-Scrum-Fall. That is, the organization has not effectively embraced Agile and DevOps principles and remains in silos with no links to business goals.

Enter DevOps, an extension of Agile thinking. While Agile embraces constant change and embeds the customer into the process, DevOps embraces constant testing and delivery and embeds operations into the team to internalize expertise on deployment and maintenance.

This is how Hasan started his talk, Multi Security Checkpoints on DevOps Platform, at last year’s All Day DevOps conference.https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevOps-a... 300w, https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevOps-a... 768w, https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevOps-a... 1024w" sizes="(max-width: 648px) 100vw, 648px" data-recalc-dims="1" />

In his talk, Hasan lays out a plan to get organizations to DevSecOps. Really, DevOps is a risk mitigation strategy, built on situational awareness, automation, and repetition. But, security is where a lot of DevOps implementations fall down. The goals for each organization should be:

  • Protecting private user data
  • Restricting access to data/systems
  • Protecting company data/intellectual property
  • Standards compliance
  • Safeguarding disposition/transition

But, how do organizations get there? First, integration and communication. Every point of the product development lifecycle should be integrated and communicating, including among the tools. Once this is achieved, you can automate many, if not most, of the tasks. The automated steps are the ones that require less human actions/input to the software development process. This allows everyone to focus on innovation and better code and less on tasks that can be automated by autonomous systems. Also, tasks that can be automated are less susceptible to errors.

https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 300w, https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 768w, https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 1024w" sizes="(max-width: 776px) 100vw, 776px" data-recalc-dims="1" />

Of course, it is the team that ultimately designs, develops, and delivers the software. Your team consists of development, IT operations, quality assurance, and security. Each has its own skill set and focus, and the overlap is Secure DevOps.

https://i0.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 300w, https://i0.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 768w, https://i0.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 1024w" sizes="(max-width: 574px) 100vw, 574px" data-recalc-dims="1" />

The team is in place, processes are automated, and development has started. Development in this day-and-age has evolved tremendously from even just a few years ago. Previously, software was limited to size, function, and audience, and the supply chain was practically non-existent. Your team built each component. Now, development has grown beyond the ability of an organization to develop outside of its core competencies. The supply chain now involves many sources for the code. It is more like plug-and-play, and this creates lots of vulnerabilities.

Hasan notes the software supply chain risk factors:

  • Supplier capability — Does the supplier follows practices that reduce supply chain risks?
  • Product security — Is the delivered or updated product acceptably secure?
  • Product distribution — Does the method of transmitting the product to the purchaser guard against tampering?
  • Operational product control — Is the product used in a secure manner?

 

https://i2.wp.com/blog.xebialabs.com/wp-content/uploads/2017/04/devsecop... 300w, https://i2.wp.com/blog.xebialabs.com/wp-content/uploads/2017/04/devsecop... 768w" sizes="(max-width: 271px) 100vw, 271px" data-recalc-dims="1" />

ON-DEMAND WEBINAR

Crossing the DevOps & Infosec Divide

Featuring Gene Kim, Derek Weeks & Tim Buntel

Even though the DevSecOps movement is in its infancy, there are proven patterns that work and use cases to learn from.

To reduce your supply chain risk, Hasan recommends:

  • Ensure supplier security commitment
  • Evaluate a product’s threat resistance
  • Create a centralized private repository of vetted 3rd party components for all developers
  • Establish good product distribution practices
  • Minimize variation of components to make things easier

Finally, as you transition to DevSecOps, remember that security must be addressed without breaking the rapid delivery, continuous feedback model.

https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 300w, https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 768w, https://i1.wp.com/blog.xebialabs.com/wp-content/uploads/2017/08/DevSecOp... 1024w" sizes="(max-width: 767px) 100vw, 767px" data-recalc-dims="1" />

You can watch Hasan’s entire talk online here for more details and other tips.

If you missed any of the other 30-minute long presentations from All Day DevOps, they are easy to find and available free-of-charge here. Finally, be sure to register you and the rest of your team for the 2017 All Day DevOps conference here. This year’s event will offer 96 practitioner-led sessions (no vendor pitches allowed). It’s all free and online October 24th.

Editor’s note: This post originally appeared here. It has been slightly edited for clarity. XebiaLabs is a sponsor of All Day DevOps, 2017. 

The post From Water-Scrum-Fall to DevSecOps appeared first on XebiaLabs Blog.

Read the original blog entry...

More Stories By XebiaLabs Blog

XebiaLabs is the technology leader for automation software for DevOps and Continuous Delivery. It focuses on helping companies accelerate the delivery of new software in the most efficient manner. Its products are simple to use, quick to implement, and provide robust enterprise technology.

Latest Stories
SYS-CON Events announced today that Fusic will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Fusic Co. provides mocks as virtual IoT devices. You can customize mocks, and get any amount of data at any time in your test. For more information, visit https://fusic.co.jp/english/.
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, security is the highest adoption barrier. Is your organization ready to address the security risks with containers for your DevOps environment? In his session at @DevOpsSummit at 21st Cloud Expo, Chris Van Tuin, Chief Technologist, NA West at Red Hat, will discuss: The top security r...
SYS-CON Events announced today that Enroute Lab will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enroute Lab is an industrial design, research and development company of unmanned robotic vehicle system. For more information, please visit http://elab.co.jp/.
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
IBM helps FinTechs and financial services companies build and monetize cognitive-enabled financial services apps quickly and at scale. Hosted on IBM Bluemix, IBM’s platform builds in customer insights, regulatory compliance analytics and security to help reduce development time and testing. In his session at 21st Cloud Expo, Lennart Frantzell, a Developer Advocate with IBM, will discuss how these tools simplify the time-consuming tasks of selection, mapping and data integration, allowing devel...
SYS-CON Events announced today that Mobile Create USA will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Mobile Create USA Inc. is an MVNO-based business model that uses portable communication devices and cellular-based infrastructure in the development, sales, operation and mobile communications systems incorporating GPS capabi...
There is huge complexity in implementing a successful digital business that requires efficient on-premise and cloud back-end infrastructure, IT and Internet of Things (IoT) data, analytics, Machine Learning, Artificial Intelligence (AI) and Digital Applications. In the data center alone, there are physical and virtual infrastructures, multiple operating systems, multiple applications and new and emerging business and technological paradigms such as cloud computing and XaaS. And then there are pe...
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
SYS-CON Events announced today that Interface Corporation will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Interface Corporation is a company developing, manufacturing and marketing high quality and wide variety of industrial computers and interface modules such as PCIs and PCI express. For more information, visit http://www.i...
SYS-CON Events announced today that Keisoku Research Consultant Co. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Keisoku Research Consultant, Co. offers research and consulting in a wide range of civil engineering-related fields from information construction to preservation of cultural properties. For more information, vi...
SYS-CON Events announced today that SIGMA Corporation will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. uLaser flow inspection device from the Japanese top share to Global Standard! Then, make the best use of data to flip to next page. For more information, visit http://www.sigma-k.co.jp/en/.
SYS-CON Events announced today that B2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. B2Cloud specializes in IoT devices for preventive and predictive maintenance in any kind of equipment retrieving data like Energy consumption, working time, temperature, humidity, pressure, etc.
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...