Go Beyond DevSecOps to Continuous Security
Continuous. If you have been around DevOps for any length of time then you have heard this term. As in Continuous Integration, Continuous Build, Continuous Deployment, Continuous Delivery, Continuous Testing, Continuous Planning among others. Now we are living in a time when personal and data privacy matters more than ever, and so one "Continuous" is rising to the forefront: Continuous Security.
But what really IS Continuous Security? Is it simply a notion of running scans and tests as part of a pipeline and reporting vulnerabilities? We think it is much more then that. For years organizations have been good validating that applications perform the way they are intended to and do what they are supposed to do so that they can be relied upon. But today if is not enough for applications to just be functional - they must be trustworthy. Add in ever-growing regulations like GDPR, NYDFS, and CCPA and you'll find that if they are not trustworthy, you could face serious penalties or even charges. But how do you achieve and maintain trust? Security has to be of constant paramount importance. Which means, it's time Security to be continuous too.
We will start with a quick, short, brief view on the current thinking around DevSecOps and how this traditionally just focuses on adding security practices to pipelines. This is a great thing, but it is not enough We will then outline our view on Continuous Security and cover 6 key capabilities that we believe are paramount and we will illustrate key facts and ways to know if you are doing them well. Finally we will outline how these work together.