Securing a devops pipeline can often be regarded as a special
cyber security use case.
The thinking behind the specialness of that use case is that security within the development
pipeline is so important that securing devops warrants having its own process. We even see security sometimes included
in the name, devsecops.
But devops is a
business process.
Just one of N key and critical business processes in the
enterprise.
Although securing devops pipelines requires some specialized dev and build process knowledge, devops is simply one part of a security ecosystem that shares
similar needs and requirements with a lot of other complex and sensitive business processes that also need to be secured.
Common needs. Common process.
Identity and access.
Unauthorized sensitive
data exposure.
Activity anomalies.
Compensating controls.
So, the security program methodology and process needs to transcend
devops and escale across all business processes in the enterprise in a standardized way. Like cattle, in herds.
Standards development.
Governance during
execution
Common metrics.
If security programs maintain a very boutique approach for devops and have to establish different processes for the rest
of the enterprise, the program won't scale. Each secured process will need individual attention very similar to pets.
Cattle versus pets.
The additional work in developing scalable approaches is worth the time and resource savings.
Your program. Your scale.Your results.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment