The InfoQ eMag - DevSecOps: Shifting Left in Practice

There are two aspects that make cybersecurity a difficult problem. The first is that security is broad enough to permeate everything from technology to culture. The second is that while developer productivity and IT operations have improved, security has stayed relatively stagnant with the likelihood of a severe vulnerability in 2021 about the same as it was in 2016.

The security force that looks like it’s working is one that enables developers to understand and use security tools as self-service to get rapid automated feedback. This trend of shifting security left follows the same work that made agile and DevOps integrate into most software teams. Just like unit testing, CI/CD automation, and frequent deployment cycles improved our ability to find and fix bugs, security can improve in the same way. Agile and DevOps don’t prevent bugs from ever happening, they improve our ability to learn and respond. Security and DevOps techniques like infrastructure as code, observability, and vulnerability detection won’t prevent all breaches but they will improve our ability to learn how systems fail and how to recover.

Security breaches and data loss have serious consequences - typically far more serious and far-reaching than a basic bug. In one example, Equifax, the failure to patch a single vulnerable library opened a deserialization breach that lost records and resulted in a 575,000,000ドル fine from the US Federal Trade Commission. Rather than waiting for your own first-hand experience on the receiving end of a data breach, we have distilled and collected the expertise from many different software leaders to help readers secure their own applications, infrastructure, and organizations.

We would love to receive your feedback via editors@infoq.com or on Twitter about this eMag. I hope you have a great time reading it!

Free download