Embed Size (px)
Citation preview
DevSecOps TransformationThe New DNA of Agile Business
Why DevOps Is a Big DealBusinesses are under increasing pressure to adapt quickly to customers through multiple digital channels.
Firms with high-performing IT organizations are twice as likely
to beat profitability, market-share and productivity goals.3
Digital transformation and Agile or continuous development are key to customer satisfaction and long-term profitability.2
56% think they are not prepared for the change.1
87% of executives believe digital
transformation will disrupt their industries.
What Is the Problem for InfoSec?
How Security Teams Can Fix the Problem
DevOps produces apps and changes too quickly for InfoSec to keep up.
Most DevOps code is created for web applications. 40% of data breaches involve attacks on web applications.6
InfoSec must find a way to keep up.
InfoSec does AppSec testing at 83% of
organizations.4
Traditional analysis, reporting and remediation
can take longer than development.
Only 17% of InfoSec organizations can keep up with Agile or continuous
development.5
C O M P A R ETraditional Development
9-to-12-month AppDev cycleLarge release
Manual deployment
DevOpsOne-day cycle timeSmall, low-risk releasesAutomated deployment
High-performing (DevOps-enabled) Organizations
Deploy 200x more often
200xRecover from
deployment failures 24x faster
24xSpend 22% less on
unplanned work
22%Spend 29% more time
on new work
29%Fail one-third
as often
1/3
Seven DevSecOps Imperatives:
1 Embed automated tests and validation of controls into the deployment cycle.
2 Inventory and analyze reusable code to avoid reintroducing flaws.
3 Monitor code and results continuously in production.4 Create “triggered” responses that can roll controls
back to a known good state if there’s a problem.5 Evaluate AppSec tools for DevOps capabilities and
automation; replace them as needed.6 Align and coordinate with Dev, Sec and IT Ops teams,
and keep communication constant between them.7 Commit to a culture of process descriptions,
automation, continuous monitoring and remediation.
1 MIT Sloan Management Review 2016 Digital Business report; http://sloanreview.mit.edu/projects/aligning-for-digital-future/2 “Digital Transformation in the Age of the Customer,” Accenture;
www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Digital_2/Accenture-Digital-Transformation-In-The-Age-Of-The-Customer-Infographic.pdf3 “State of DevOps 2016,” DevOps Research and Assessment https://continuousdelivery.com/evidence-case-studies/#research4 SANS 2015 State of Application Security: Closing the Gap; www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-359425 “IT Speed: The Crisis and the Savior of the Enterprise,” A Forrester Consulting study commissioned by Chef, December 20136 2016 Verizon DBIR
Visit the SANS Analyst Reading Room. www.sans.org/reading-room/whitepapers/analyst
SPONSORED BY
