Featuring Amy DeMartine
Click to view more questions and answers
DOWNLOAD PDF
DOWNLOAD PDF
Q&A
Forrester Q&A
QUESTION 05
Start with understanding what applications you have and where they are deployed. It’s impossible to know that you have 100% coverage with security testing unless you know what applications you have.
Next, it doesn’t matter if an application is being developed via DevOps methodologies or waterfall, perform application security testing early in the life cycle and use any automation you can, so that applications are scanned automatically at a certain phase.
When evaluating application security testing tools, look for tools that:
• Integrate with the automation tools your developers are already using (suchas Jenkins)
• Cover the source code languages, frameworks or binary formats your applications use
• Deliver highly accurate, quality results that match the speed of your releases
One of the most common “containerized” workloads is web applications. Too often, organizations only focus security efforts on business-critical web apps, neglecting the rest of the application portfolio. Yet, almost every single web app has at least one vulnerability, so what should businesses do differently?
Q5
YEAR 3
YEAR 2
YEAR 1
QUESTION 04
The biggest issue security pros must overcome with containers is developers can put anything inside a container. These mystery components can significantly add to the attack surface of an application. Security pros need to help developers identify vulnerable components early in the development life cycle, hopefully using automation in the CI/CD pipeline to make the identification of these vulnerabilities consistent and fast and guarantee the remediation of any discovered vulnerabilities before a container is released into a production environment.
After getting vulnerability scanning processes in place, security pros should investigate other security issues relevant to containers such as:
• Signing images to ensure the same container is built, tested and deployed
• Hardening the host OS
• Monitoring containers in production for any unsafe behavior
• Implementing least privilege user authentication
What recommendations do you have regarding container security, a prime use case for DevSecOps?
Q4
YEAR 3
YEAR 2
YEAR 1
QUESTION 03
We recommend including security pros into DevOps teams from the beginning, but what we see in practice is the silos between developer and infrastructure and operations pros are often so big that many organizations focus on eliminating those barriers first.
Don’t wait for your DevOps teams to approach you. Start talking with the application development organization to understand what applications are moving to DevOps. Reach out to these groups to understand what technologies they are using to develop, build and release their code. Attend application planning sessions and talk about how you can accelerate their identification and remediation of security flaws early in order to avoid unplanned or unscheduled work right before applications are deployed.
How can security leaders drive the transformation from DevOps to DevSecOps?
Q3
YEAR 3
YEAR 2
YEAR 1
QUESTION 02
Yes, there is the potential to have greater levels of risk than ever before with faster application releases and a proliferation of new applications. But security pros also have opportunities that weren’t available before in the form of automation.
With an automated CI/CD pipeline, security pros can automate security testing early in the software delivery lifecycle, halt the process automatically if security quality levels are not at the right levels and give developers in-the-moment remediation advice and learning about how to write more secure code.
With all the automation, security pros can turn more toward governance of application security and work to drive consistency with security testing across all applications – no matter if they are in the cloud or on-premises.
While undoubtedly driving business growth and innovation, fast-moving cloud and DevOps environments are also introducing unprecedented levels of risk for security leaders. What advice can you offer to help them enable and protect the business?
Q2
YEAR 3
YEAR 2
YEAR 1
QUESTION 01
Cloud and automated deployments make it easy for developers to create new customer touch points in the form of applications. However, it’s also easy for these applications to skip security controls. Security pros can fundamentally lack visibility into the assets and workloads deployed in the cloud and therefore cannot apply consistent security policies to them. To properly reduce risk, security pros need the ability to discover new cloud applications and then assess for vulnerabilities and protect them.
Thinking about today’s enterprise cloud environments, where do you see cybersecurity teams struggle most?
Q1
YEAR 3
YEAR 2
YEAR 1
Q5
Q4
Q3
Q2
Q1