Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

3 Key DevSecOps Trends for 2021

Home
Industry Insights
3 Key DevSecOps Trends for 2021

Blog Article Published: 07/29/2021

This blog was originally published by Blue Hexagon here.

Written by Saumitra Das, Blue Hexagon.

DevSecOps is a term that means different things to different people. I see it as primarily as an umbrella term for “continuous security” or security that is built into the process of building, shipping, and running business logic. The pandemic-induced fast-paced cloud migration that we are witnessing makes improvement and adoption of DevSecOps practices even more critical.

Tom Smith recently wrote a great compilation of what many of us in the industry see as the upcoming trends in DevSecOps. Here are three key takeaways:

Supply Chain Security

There have been several supply chain attacks in recent memory and it is top of mind for CISOs, CIO, and SecOps teams. From the large-scale Solarwinds compromise to attacks from deploying third-party code like agents or appliances or even testing software inside an organization; supply chain is the new way to break in. There is significantly higher supply chain risk in the cloud due to the nature of agile software development and release processes. A few months ago, half of the Docker Hub images were found to have a critical vulnerability and thousands had implanted malicious code. Supply chain attacks allow the attacker to gain an initial foothold with privilege in an organization. Following this, attackers usually commence command and control followed by lateral movement and exfiltration. Jeff Williams talks about this supply chain risk as well from an AppSec perspective. I have previously advocated an agent-less approach from a runtime security perspective to minimize supply chain risk.

BizDevSecOps

Injecting the business user needs and breaking down silos for improving user experience. Gregg Ostrowski talks about how optimizing the user experience for an organization’s digital services is key to customer satisfaction. Ajay Gandhi talks about Dev, Ops, and Security coordinating with business owners directly so “everyone draws from a single source of truth”.

AI and Automation

Cloud scale DevSecOps needs automation to keep up with the rapid changes introduced by developers. Developers and ops teams usually dwarf the security teams by an order of magnitude. The key to maintaining visibility and security with DevSecOps is automation. Using cloud-native automation to drive DevSecOps processes to keep up with rapid infrastructure and workload changes is a key enabler that needs to be leveraged. As an example, changes in infrastructure or a bringup of a new instance of the container should trigger a series of checks automatically. AI is a key ingredient in getting the signal from the noise. Even if security teams have no “darkspace” in their cloud the next issue is how to actually have detection of issues. Not just static detection, but detection prioritized by risk to the organization. Not just static detection, but detection on issues that only manifest at runtime. AI can uncover hidden malicious code and unusual patterns of command and control for supply chain infections in the cloud. I argue that just checking for CVEs statically is necessary but nowhere near sufficient. As http://bluehexagon.ai/blogSeth Vargo describes in a recent episode of the Google Cloud Security Podcast, “one cannot simply check for problems and then put something into production and go away”. New CVEs keep coming up and many attacks go after yet unknown CVEs. AI-based detection infused into the DevSecOps processes allows for defense against malicious code implants and the attacker or human-introduced misconfigurations.

Additional Resources:

For more detailed information, read the full article by Tom Smith here https://www.insightsfromanalytics.com/post/opportu....

Read other interesting blogs by Blue Hexagon at http://bluehexagon.ai/blog.

Artificial IntelligenceDevSecOps

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Level up with Cloud Infrastructure Security Training
Related Articles:
Are You Ready for Microsoft Copilot?

Published: 04/19/2024

Kernel Introspection from Linux to Windows

Published: 04/18/2024

Cloud Security Alliance (CSA) AI Summit at RSAC to Deliver Critical Tools to Help Meet Rapidly Evolving Demands of AI

Published: 04/17/2024

The Data Security Risks of Adopting Copilot for Microsoft 365

Published: 04/16/2024