DevOps, data security and automation

Ben Todd at Dynatrace argues that to get a stalled DevSecOps culture moving organisations need to converge observability and security

 

As rising inflation and soaring energy prices pressure organisations to do more with less, digital transformation has become more of a priority than ever.

 

These efforts, supported by cloud migration, are critical to organisations’ drive to reduce infrastructure costs and modernise services to attract and retain customers.

 

However, this transformation is making technology stacks too complex for human teams alone to handle. With hybrid, multicloud environments becoming the norm, DevOps teams need to manage and secure data, platforms, and applications across an increasingly dynamic and distributed landscape.

 

To succeed, they will need to embrace DevSecOps practices that unify security and observability data and combine it with AI and automation. However, despite a widespread understanding of the benefits of this approach, many organisations have stalled in their efforts to implement an automation-fuelled DevSecOps culture.

 

The complexity conundrum

The faster pace of digital transformation and the continued shift to the cloud is increasing the security risk that organisations face. In fact, research reveals that more than two-thirds (68%) of Chief Information Security Officers (CISOs) say vulnerability management has become more difficult because the complexity of their software supply chain and cloud ecosystem has increased. 

 

As this trend continues, it is becoming a significant challenge for DevOps teams to prioritise vulnerabilities, because they don’t have enough context about the risk posed to their environment.

 

This often means teams can spend days chasing false positives or focusing on issues that don’t pose a significant threat to their organisation rather than dealing with the most urgent risks, leaving them unnecessarily exposed.

 

Organisations are also restrained by manual application security processes and fragmented DevOps toolchains. Despite the multitude of tools that they use to maintain the security of their applications, DevOps teams struggle to respond quickly to resolve vulnerabilities when they are detected. This is because many of their solutions aren’t designed for the complexity of the cloud, and they aren’t integrated.

 

As a result, teams are forced to rely on different and sometimes conflicting sources of observability and security data and they have gaps in visibility across platforms. They are therefore forced to manually analyze hundreds, if not thousands of security alerts to identify, assess, and prioritize their response efforts when new vulnerabilities emerge.

 

The combination of these factors; the complexity of cloud environments and the dependence on manual processes, is taking its toll and limiting the impact that organisations are seeing from their efforts to adopt DevSecOps practices. On average, each member of development and application security teams spends around a third of their time on vulnerability management tasks that could be automated.

 

These manual tasks have grown beyond human ability to manage, adding to existing strains on DevOps teams and making it more difficult for them to mitigate and eliminate vulnerabilities before they can be exploited.

 

Automation as the answer

To relieve DevOps teams from the burden of keeping applications secure and increase the impact of DevSecOps on innovation, organisations must automate out as much of the manual toil as possible.

 

To achieve this, they should embrace a unified observability and security strategy. This will break down silos between different sources of data and create a single source of truth with full context that can be used to drive automation.

 

When combined with a trustworthy AI, DevOps teams can use this data and the answers it contains to support end-to-end DevSecOps automation across the software delivery lifecycle (SDLC). For instance, they can automate IT service management (ITSM) workflows so when a new vulnerability is detected, a support ticket is automatically created and sent to the relevant team to resolve.

 

This streamlined process saves time and resources by eliminating the need for DevOps teams to manually intervene every time a new vulnerability arises.

 

Unlocking the true potential of DevSecOps

As organisations transform to meet customer expectations through faster innovation, they need to manage the security risks being created as a consequence of that speed and agility. To succeed, DevOps teams need to take a more strategic approach to application security, supported by DevSecOps automation.

 

By taking a more unified approach to observability and security, organisations can reap the true potential of DevSecOps automation for minimising the toil of vulnerability management. This will give DevOps teams more time to focus on higher value strategic tasks that drive the business forward and create a lasting competitive advantage.

 

---

 

Ben Todd is RVP EMEA Security Sales at Dynatrace

 

Main image courtesy of iStockPhoto.com