 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Capsule8 sponsored this post.
“DevSecOps” has recently entered the security lexicon to describe a hybrid of DevOps and security practices — and as we will see below, for good reason.
Most commonly, DevSecOps focuses on the narrow interpretation of DevOps as automation of the build/delivery pipeline. Thus, the typical notion of DevSecOps focuses on the software development lifecycle, attempting to put testing in as early as possible into the design process to protect the integrity and performance of the system at large.
A broader interpretation would see DevSecOps’ role as a mindset and practice. In this way it extends beyond just security automation and manifests itself as a culture that produces valuable results for the business.
For DevSecOps, this raises the question: If DevOps prioritizes software delivery performance, what should security prioritize to support this?
In this post, we describe which specific security metrics you need to help, instead of slowing down, your organization’s business processes.
👁 Image
There are four foundational principles to keep in mind when measuring security, drawn from optimal DevOps metrics from the seminal book , et al.:
Before we dive into our list, it’s important to acknowledge that most security metrics are vendor-biased, particularly those espousing DevSecOps-specific metrics. An unfortunate byproduct of the security testing market is that we rarely see metrics outside of individual security products — for the simple reason that vendors won’t sell you on metrics that their own products can’t measure.
But make no mistake: you are what you measure. That’s why businesses should be careful about choosing the right metrics that fit with their security goals — regardless of whether their businesses adopt DevOps principles or not. Because if you optimize for a narrow goal, you’ll end up with a narrow program.
Broadly speaking, security metrics that support software delivery performance can be grouped into three main categories:
Mean time to failure (MTTF) is one metric security teams should not measure. Failure is inevitable, and to have a metric that incentivizes failure avoidance is unrealistic at best, counterproductive at worst. It takes attention away from the metrics that actually help remediate threats and build resiliency within the organization.
Improved security almost always comes with tradeoffs — whether that’s more friction or higher costs in time or money.
Here’s a basic example: the reduction in the number of security fixes per new release may be counterbalanced by an increase in employee time spent using security tools. And when you look beyond the security team, the newly added security feature may be outsourcing pain to other parts of the organization.
Having metrics in place to measure the impact of deploying a new security solution forces teams to seriously assess whether the benefits of a new release truly outweigh its costs.
Obviously, the types of metrics used to measure trade-offs would be highly dependent on individual circumstances. But teams can start by asking themselves a few basic questions:
The complexity of your overall system brings a new level of risk that goes beyond any individual component. These systematic risks need to be taken into account within the organization’s security strategy.
For example, organizations can start by quantifying and balancing the short term and long term stresses to system:
Finally, in our collective exuberance to do testing earlier in the SDLC, we must also assume failure during runtime as well in order to implement a resilient security strategy. Without understanding incidents in production, it’s difficult to create a continuous feedback loop to harden your container images — and certainly harder to continuously improve the security of non-microservices systems, too. Once appropriate security metrics are implemented for production, they can provide valuable feedback into improving pre-release testing. More importantly, they can even ensure security is enabling the business — rather than choking it.
Feature Image by Dominic Alberts from Pixabay.
