Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 15 August, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

How Can Security Training Harden Your DevOps Process?

By: Viral Trivedi, Chief Business & Solutions Officer at Ampcus Cyber Inc

by Viral Trivedi
April 7, 2021
in Insight
Just What Does It Take to Develop a Career in the Cybersecurity Domain?
Share on FacebookShare on Twitter

Many organisations that are turning to DevOps are struggling with various security challenges along the way. In “The Ultimate Guide of Orchestrating Security and DevOps,” tracing those obstacles to a lingering “cultural conflict” between the developers and security teams. Security teams are struggling to keep up with the pace that DevOps teams are used to, for instance, while DevOps teams are culturally resistant to anything like security and testing that could potentially disrupt their work and slow down the development process. Together, these differences keep DevOps and security apart, a reality which costs more time and effort when vulnerabilities inevitably arise after a piece of software has already rolled out.

Uncovering Developers’ Lack of Security Training with DevOps

Organisations need to invest more in security if they are to make the most of their transition to DevOps. That’s where DevSecOps comes in. Here’s how Ampcus Cyber describes this new paradigm in its whitepaper:

 

DevSecOps is technology agnostic and organisations can use a combination of technologies, policies, and procedures to secure the DevOps pipeline. DevSecOps relies on collaboration between departments, who share the responsibility for establishing and enforcing security practices at every step of the SDLC. Development teams should ensure that their products are reliable, data is protected, and they must comply with regulatory and governance protocols.

 

That being said, security doesn’t necessarily come naturally to developers. Take the templates used by developers and DevOps teams to configure their cloud infrastructure, for example. As reported by DevOps.com, a research team found that more than 199,000 of those templates in use on the public cloud suffer from medium to high vulnerabilities. Those security gaps appear to reflect the rate at which developers are attempting to deploy applications to the public cloud, the researchers found. They all uphold the three-step DevOps process—design, code and deploy—but they don’t all scan for potential vulnerability issues.

 

On the Need for Developer Security Training

In response, organisations need to focus on offering security training to their developers. Those that choose to do so will effectively set themselves apart from most organisations in the process. Indeed, an ESG survey report found that just 20% of organisations offer security training to new developers who join the company, while about a third (35%) of respondents said that less than half of their developers participate in any formal training at all.

 

Organisations that did admit to training all of their developers generally didn’t emphasise the importance of those programmes, either. Why else would fewer than half of respondents reveal that they require their developers to participate in formal security training more than once a year?

 

Organisations are making a big mistake in not taking the security training of their developers more seriously. Quoting from our Whitepaper:

 

Developer security training is foundational to all the security tracks highlighted in this procedure. Without this training, together with experience and a security mindset, it will not be possible to do threat modeling, write accurate security user requirements, or evaluate Static Application Security (SAST) or Dynamic Application Security (DAST) Testing results.

 

All of this raises the question: how can organisations go about to properly train their developers?

 

First, they need to remember where their developers are coming from. Security Boulevard clarifies that developers don’t naturally focus on security because they’re “builders” and not “breakers.” Their job is to focus on creating functional features, not trying to figure out what could go wrong. As a result, organisations can’t presume that developers will naturally think like security experts. They need to provide their developers with structured training that walks them through the security concepts that they need to know.

 

Second, they need to offer training that doesn’t waste developers’ time. Security Boulevard explains in another blog post that the training should consist of courses with demos and practical examples that all directly relate to the technology and platforms that developers are using. To make the most out of that training, organisations can offer micro-modules to their developers via an online education portal. This type of format emphasises targeted learning, continuous recall and personalised bursts of education whenever time permits. Organisations can also encourage their developers to make time for training by creating an incentive structure for the number of courses or series of courses that they complete as part of the security training programmeme.

What Can Be Done

Creating a security training programme that accomplishes all of the above might be difficult for organisations to do on their own—especially if they’ve never offered this type of training before. Fortunately, they can remedy that fact by working with a managed services provider. The provider uses its end-to-end DevSecOps Consulting Services and Solutions to assess the strength of organisations’ existing DevOps and security maturity levels, training and tools. Next, it creates solution frameworks before formulating and executing a tailored plan through which it implements and supports new DevSecOps initiatives that incorporate security into build automation, environment management and other areas of the business, all while adopting supportive processes, technologies, training and governance measures.

 

Security might not come naturally to developers. But with the right managed services provider guiding them, organisations can offer the training that their developers need in order to make DevSecOps into an efficient reality.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

A battle cry for SMBs to address cybersecurity

Next Post

European Cybersecurity Blogger Awards 2021 Open for Nominations

Recent News

Doctor holding phone

Recovery From NHS Attack Could Take Weeks

August 12, 2022
Industry All-Stars Take Stage at International Cyber Expo’s Global Cyber Summit

Industry All-Stars Take Stage at International Cyber Expo’s Global Cyber Summit

August 12, 2022
Laptop, phone, hands

Campaign Launched to Stop People From Becoming Money Mules

August 11, 2022
MIRACL is One Cybersecurity Company to Watch in 2022

MIRACL is One Cybersecurity Company to Watch in 2022

August 10, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information