Posted on

Problems Solved by DevSecOps

To understand the current and future state of DevSecOps, we gathered insights from 29 IT professionals in 27 companies. We asked them, "What problems are solved by DevSecOps – where is the greatest value realized?" Here's what they told us:

Velocity

  • Product and company velocity of delivering features to customers. How fast customers are gaining value from new features or client requests. We're confident to say we are continuously shoring up our defenses. If everything had to be manually vetted, you could not keep up. Confidence in delivering secure, high-quality software.
  • With proper attention paid to security, product development and distribution would be much safer and faster.
  • Protecting data and applications without affecting business operations. DevOps provides a quicker time to value for customers and does that continuously throughout the product life with the end user. DevOps may ultimately evolve into such an efficient process that it provides real-time deliverables. In that environment, speed is essential. Protecting without impacting is what DevSecOps should strive to become.
  • 1) DevSecOps solves for both DevOps and Security/Compliance at the same time. It enables businesses to rapidly bring new applications to market but in a safe and compliant manner, ensuring business requirements are met or exceeded along the way. At the same time, implementing DevSecOps also requires the service organization to mitigate, avoid, transfer and accept any residual risk necessary to operate and reach customers. The greatest benefit to a service organization of DevSecOps is continuously learning from customer feedback though lightning fast application deployments – without having to compromise on security or compliance. 2) In the same way that DevOps helped reduce the psychological distance between the development and operations teams, DevSecOps brings security into the fold and become part of the ongoing engineering process. This has security benefits, of course, but it’s a rising tide that lifts all boats – a secure system will be more reliable and resilient, with a better ability to detect unexpected activities of all kinds.
  • DevOps started because of the desire for speed. We’re seeing quicker releases. When I look at the overall market it’s probably the reduction of risk by designing with security baked in from the beginning.
  • It comes back to the different kinds of risk that exist. In financial services, there are regulations and fines tied to regulation. How damaging can a breach be to the brand? The cost of implementing good security controls doesn’t have to be extreme. Companies can adjust the amount of work, effort, and cost to the risk they have. If databases have security built in it reduces risk.
  • The greatest value of DevSecOps lies not with automation and efficiency, but rather, in the ability to help the business manage cybersecurity risk. This means all DevSecOps activities should focus on managing risk and improving cyber resiliency for the organization.

Security Conscientious

  • Security becomes a top motivation. By default, DevOps provides uptime, feature velocity, and scale. If DevOps is working, security is built-in.
  • Embracing DevSecOps maintains innovation velocity that translates to the achievement of business goals without skimping on security. More professional DevOps take security seriously being mindful about how things work and how things work securely.
  • We have all heard about large organizations being sued and hurting their brand image due to security vulnerabilities in their software and applications, and the applications causing compromise of customer information. DevSecOps ensures that security is a norm and not an afterthought, ensuring developers always develop with the security of applications in mind.
  • Culture developed around it. Everyone is responsible for security. Automation of tools to keep up with speed and agility is great. Make sure you’re building security into every phase. Data breaches could be the result of a design flaw, not just bugs. If security is implemented in design the breach may not have secured.
  • DevOps in the early days is about moving fast and agility. But then realize you can’t improve speed without improving security. No number of features or availability will stop security incidents. Helping clients ensure security in the fast-moving environment.
  • The goals of development teams — speed, flexibility, innovation — can seem at odds with what security teams need to do, and traditional models of security are often perceived as blockers for development. A DevSecOps culture that unites both groups around a shared objective and pushes security “to the left” weaves security steps into developer workflows and results in faster, more secure releases without stifling developer innovation. Whatever the mission of the development organization, a DevSecOps culture supports and enables it, positioning security as a partner for successful software delivery.

Image title

Posted on

Build a Simple Chat App Using Java and Stateful Web Agents

Even the most simple chat user interfaces bely a world of architectural complexity. Features like authentication, user presence, chat rooms, user counts, message encryption, and countless others represent a significant undertaking. However, with the right tools, building an enterprise-scale chat application is not only possible, it can be done relatively quickly.

This post is a tutorial for building a basic chat application using the open source Swim platform. The app we’ll be referencing was built by Scott Clarke, a UI developer at Swim, and the source code is available on GitHub here. Because this chat application is intended to demonstrate Swim development patterns, as opposed to being a usable product, we have not included features like authentication or compressive user state tracking. While we do include user presence in the chat app, we took the simplest approach possible and just display a user’s local IP address. This app may be simple, but the same patterns we demonstrate here can be used to build a massively scalable version, and can easily be integrated with authentication services or other third-party software.

Posted on

No-Skills-Required Design Tools for Entrepreneurs

You're reading No-Skills-Required Design Tools for Entrepreneurs, originally posted on Designmodo. If you've enjoyed this post, be sure to follow on Twitter, Facebook!

No-Skills-Required Design Tools for Entrepreneurs

This is the age of self-employment and entrepreneurship, and a large number of entrepreneurs are solopreneurs. This means that they handle a variety of tasks on their own, including marketing, branding, sales, accounts, etc. Fortunately, the internet provides plenty of …

Posted on

Dependency Management and Versioning With a Maven Multi-Module Project

In this article, we are going to look at how to implement a multi-module project in Maven with versioning and dependency management, as well as the best practices for building big, large-scale projects from both a developer perspective and a DevOps/management perspective.

However, if you are not familiar with Maven, I highly recommend reading this article first and getting some experience using Maven. This article will not cover Maven basics.

Posted on

What Impact Might Automation Have on the Diversity in Public Service?

Predictions about the impact of autonomous technologies on the workplace have been as varied as they have been numerous. What we all agree on, however, is that there will be some kind of impact. The latest study to offer up a prediction comes from the University of Kansas and explores the impact automation might have on the public sector. The study looks not only at the traditional aspects of the automation of work but also whether the introduction of new technologies might influence the equity of service provision.

The authors make a debatable start by arguing that many of the investments in automated technology are driven by efficiency concerns, which is a proxy for layoffs and reduced headcount, and while this is fine and dandy in the private sector, the public sector has more noble ends and must also aim for both the fair and equitable delivery of vital services to the public and the creation of an equal opportunity workforce.

Posted on

DBMS_JOB — Watching for Failures

I had a friend point this one out to me recently. They use DBMS_JOB to allow some “fire and forget” style functionality for the user, and in their case, the jobs are “best efforts” in that if they fail, it is not a big deal.

While this may sound counter-intuitive, if you rely on jobs submitted via DBMS_JOB to fail, then please read on.

Posted on

Top 4 Website Security Tips for Development and Hosting

Too many small and medium-sized businesses (SMBs) have a pervasive, persistent delusion: “We’re too small — hackers wouldn’t be interested in us.” But it’s never really been true.

And now, it is demonstrably, statistically not true. The latest Verizon Data Breach Investigations Report (DBIR) found that 43 percent of breaches involved SMB victims. That’s two to four times the percentage of victims in the public sector (16 percent), healthcare (15 percent), and financial (10 percent).

Posted on

The Challenges of IT Automation

IT automation is the digitization of IT. It digitizes IT processes such as the provision of new servers, the installation of new software, and the delivery of applications. Successful implementation can lead to cost savings, increases in efficiency and a reduction in personnel costs. You should be paying just as much attention to IT automation as to digitization.

IT automation poses the same challenges as digitization and the added value is just as high.

As with digitization, it is important to know all of your processes and their results. These results are your (technical) IT services. IT automation describes these services in a computer-understandable schema. IT processes are mapped in programs that are executed using software (configuration management systems, infrastructure as code systems).

Posted on

Part 1: How Canary Deployments Work in Kubernetes, Istio, and Linkerd

This is the first of a two-part series on canary deployments. In this post, we cover the developer pattern and how it is supported in Kubernetes, Linkerd, and Istio. In part two, we’ll explore the operational pattern, how it is supported in Glasnostic, a comparison of the various implementations, and finally the pros and cons of canary deployments.

A canary deployment (or canary release) is a microservices pattern that should be part of every continuous delivery strategy. This pattern helps organizations deploy new releases to production gradually, to a subset of users at first, before making the changes available to all users. In the unfortunate event that things go sideways in the push to prod, canary deployments help minimize the resulting downtime, contain the negative effects to a small number of users, and make it easier to initiate a rollback if necessary. In a nutshell, think of a canary deployment as a phased or incremental rollout.

Posted on

Company Overview: Qumulo

I appreciate the opportunity to meet with Molly Presley, Global Product Marketing Director and Jason Sturgeon, Senior Product Manager of Qumulo, the eighth company on IT Press Tour #31 at Kleiner Perkins Caufield Byers' offices on Sand Hill Road in Silicon Valley. Kleiner Perkins is an investor in Qumulo.

Qumulo was founded in 2012. According to Molly, cloud-based file storage is growing faster than on-premises with architectures and strategies falling into three groups: native, overlay, and hybrid – with hybrid being the dominant use case.

Posted on

Configuring the Xerces XML Parser With Content Model Defaults

My previous post on JSON schema included a slight dig at XML, which perhaps wasn't really warranted. True, XML is clunkier and more verbose than JSON, but it has its strong points. The clincher for me in past projects has been the superior expressiveness of XML's schema format: XSD. XSD has quite a few capabilities that JSON schema lacks, such as referential integrity constraints, and the ability to specify attribute defaults in one's content model. This article provides a quick overview of the latter feature via a code sample that illustrates how to configure Apache Xerces. The configuration we present enables you to read in XML content such that it is auto-populated with the proper default values for attributes, even if the original source XML does not contain any definition at all for those attributes.

Why is this useful? Well, suppose you have developed a content model that allows your users to configure some run time data. For example, say you have a game with actors that can be animals or people. You define an XSD (schema) which allows game configurers to define a cast of characters for the game using XML, like this:

Posted on

How the Data Transformation Process Works

As your business grows and evolves, so does the number of data formats and applications you must also support. Whether an enterprise is trying to onboard a new trading partner or ensure that it meets all the requirements a customer has, data is coming from many different places.

The last thing your enterprise wants is to be difficult do business with. You need to be able to communicate efficiently with the members of your digital ecosystem in order to expand and take on more customers. That’s why efficiency in the data transformation process is so valuable to an organization: companies that can handle data formats of any size, shape, or form are the ones that are going to thrive in the age of the cloud.