It’s time for secure development in the cloud, with DevSecOps

Oliver Pinson-Roxburgh, EMEA Director for the Solutions Architects Team at Alert Logic, recently discussed his views on DevSecOps. At the South Wales AWS User Group Oliver discussed ‘Taking a DevOps Approach to Security’. Being a Security-As-A-Service provider Alert Logic deals with 1.6 petabytes of data per month and has over 4000 clients worldwide.
The talk opened by summarising the top six ideas organisations need to consider when tooling up to support DevOps:
- Deploying Tools
- Handling Agility
- Seamless Expansion
- Having Coverage
- Integration with cloud platforms
- Not allowing security to slow you down
It was this last point that Oliver focused on later on in his talk. This being that integrating with cloud allows organisations to move faster than before. This means that if an organisation gets breached problems can go from bad to worse faster than before. It does also mean however that organisations can secure themselves faster that previously possible. Reiterating this point Oliver showed how an everyday website could be hacked by following the Cyber Kill Chain™.
Oliver continued by expressing that a secure DevSecOps process would consist of five main areas: Design, Test, Monitor, React and Protect. The problem being that there is no benefit in doing these stages if your going to disregard or misinterpretation the data you receive. Oliver explained:
“If you don’t know why you’re monitoring it, collecting it or you don’t know what to do with it. Then don’t collect it in the first place… Be Pragmatic.”
―Oliver Pinson-Roxburgh of Alert Logic