Tuesday, January 12, 2021

Talking DevSecOps on the CISO Series Podcast

Source: https://gigaom.com/2021/01/12/talking-devsecops-on-the-ciso-series-podcast/
January 12, 2021 at 04:27PM

When GigaOm VP of Research Jon Collins published his latest report, “GigaOm Radar for Evaluating DevSecOps Tools,” it kicked off a discussion on the popular CISO Series Podcast hosted by David Spark. In that podcast, available here, Spark discussed the report with Mike Johnson, producer of the CISO Series, and Doug Cahill, vice president and group director of cybersecurity at Enterprise Strategy Group.

Spark and Cahill talked about Collins’ approach to evaluating the DevSecOps tool space and the dynamics involved in assessing and selecting DevSecOps solutions. As Cahill noted, modern application development is all about “agility and moving quickly—it’s continuous everything.” And in that context, Cahill said, security needs to be integrated into every phase of the application lifecycle—something DevSecOps solutions are designed to do.

“A lot of traditional cybersecurity controls don’t integrate natively into build tools like Jenkins or they don’t provide alerts vis a vis Jenkins PagerDuty in Slack, they may not open a ticket automatically in Jira, they may not have the ability to assign a policy by integrating with orchestration tools like Jenkins or Kubernetes,” Cahill explains. “That’s just a short list of the types of tools that those teams use. The controls have to snap in, they have to support those types of environments. You get less friction and the result is you can automate security by integration with those tools.”

Spark notes that the Radar report and related: “Key Criteria for Evaluating DevSecOps” report provide a framework for decision making, defining selection criteria and evaluation metrics to assess solutions.

“I looked at the report and I was really impressed with the framework. I don’t have this finely crafted of a framework,” Johnson told Spark during the podcast. “I look for fit with purpose. What is the problem that I am trying to solve or the set of problems I am trying to solve.”

One aspect of the reports that stood out to Johnson was the emphasis of ROI in DevSecOps. ROI is not often weighed as a critical decision factor in security solutions, Johnson said, but he found that Collins offered a compelling angle that can help organizations assess the efficiency and value of tools.

“They actually had a really good definition here, which was ‘Gains of the tooling significantly outweigh the costs and overhead of using it,’” Johnson said. “So it’s not saying it’s going to save you X amount of dollars. “It’s helping you answer [the question], ‘Is it worth it?’.

No comments:

Post a Comment

Blog Archive