DevOps has proven to be more than just an industry buzzword, but as the term starts to gain widespread use in modern software development parlance, an emerging successor has begun to take hold: Rugged DevOps, also known as SecDevOps/DevSecOps. RSA Conference (RSAC) 2016 dedicated a track to the emerging practice earlier this year, so it's likely to become as prevalent as its predecessor by next year's end—especially since RSAC plans to highlight the methodology again in 2017.
Rugged DevOps is simply the confluence of DevOps and information security, infosec - a practice that, like DevOps, is anything but simple in practice, but arguably more pressing given the nature of today's cyber threat landscape. In the past, we've discussed ways in which government entities and the healthcare industry can benefit from Rugged DevOps; by now, it has become crystal clear that all firms stand to benefit from such practices in pursuit of enterprise cyber resilience. For the uninitiated, cyber resilience espouses the incorporation of risk management into the way enterprises counter digital threats. Succinctly, cyber resilence calls for adopting mechanisms to ensure that inevitable security compromises don't sink the business.
Consider the similar plight of drive time commuters making their way to/from work, day in, day out: according to estimates by the car insurance industry, drivers licensed at the age of 16 are likely to experience a crash by 34, if not earlier. In the average lifespan of a driver, 3-4 accidents are typical. Almost 1.3 million people die in car accidents every year globally (an average of 3,287 deaths/day), with an additional 20-50 million injured or disabled. Such statistics only reflect normal driving behavior, without taking into account common misbehavior such as consuming even one beer before getting behind the wheel (happy hour, anyone?) or texting while driving—behaviors that make drivers 46% and 23 times more likely to crash, respectively. On a less morbid note, the odds of getting pulled over for a driving-related incident is 1 in 11.5, while the odds of getting an actual citation after being pulled over is 1 in 1.8.
When you use the internet, your computer has a conversation with a web server for every site you visit. Everything you submit in a form, any data you enter, becomes part of that conversation. The purpose of encryption is to ensure that nobody except you and the server you’re talking to can understand that conversation, because often sensitive information such as usernames and passwords, credit card data, and social security numbers are part of that conversation.
For most people, no amount of sobering statistics will keep them from getting behind the wheel. This is because the automobile industry—in over a century of developments—has seen the emergence and evolution of numerous safety mechanisms and risk management controls that keep inevitable driving-related catastrophes from harming drivers. Technological innovations like airbags, seat belts, anti-lock brakes, and vehicle crumple zones all work to this end. And when car accidents do occur, automotive insurance policies—as required by law—prevent resulting financial losses from bankrupting unfortunate drivers.
The same goes for enterprises vis-à-vis cyber attacks: each and every firm will eventually fall victim to one or several, but this shouldn't prevent aspiring companies from starting up or cause successful businesses to meet an untimely demise. Cybersecurity technologies are the tech world's airbags and anti-lock brakes; likewise, the emergence of cyber risk insurance policies for mitigating data breach-related financial losses increasingly resembles the ubiquity of automotive insurance.
Rugged DevOps and Cyber Resilience
Rugged DevOps enables enterprises to achieve ongoing cyber resilience in numerous ways:
Rugged DevOps addresses the new challenges in maintaining application security introduced by rapid software iterations and deployments.
To use the automotive analogy one last time, Rugged DevOps is like a high-performance vehicle with the best electronics and safety mechanisms: it will get you to work faster, safer, and in better form than your colleagues—all while (hopefully) avoiding speed traps and police radar/lidar.* With Rugged DevOps, software companies and enterprises can appreciate all the competitive advantages that DevOps brings while at the same time bolstering security and compliance with regulatory measures.
Similar lessons/benefits from DevOps can be readily translated to security operations.
At the end of the day, businesses must take digital risks in order to remain competitive. This could mean digitizing assets for better enterprise agility/productivity, adopting cloud technologies to achieve economies of scale, bringing on new ecosystem partners to improve the supply chain, and more. All of these activities invariably increase an enterprise's exposure to cyber risk. By baking in and automating infosec practices, security testing and assessments, and remediation activities, security operations can allow firms to achieve the speed and quality necessary to remain competitive.
In short, Rugged DevOps gives businesses the tools to handle cyber risk from a strategic planning perspective, as opposed to treating it as a sole function of infosec and IT. This latter approach has failed time and time again, as evidenced by the ongoing security failures inside the world's largest enterprises. UpGuard's cyber resilience platform is the preeminent solution for enabling Rugged DevOps in your organization—our Cyber Security Threat Assessment Report (CSTAR) allows enterprises to gauge and understand their cyber risk profiles based on both internal and external measures. Leading cyber risk insurance providers also rely on UpGuard and CSTAR to insure businesses against data breaches. To learn more, give our risk grader a spin to determine your firm's CSTAR rating—or better yet, try out UpGuard for free today.
*For illustrative purposes only. Please don't drink and drive—or speed for that matter.
Inside Microsoft’s Open Source And DevOps Initiatives For The Enterprise UpGuard 101: Verifying Windows Groups Top Retailers Who Should Know Better
If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself.
Read Article >
You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe.
Read Article >
The following is a list of 11 online retailers who really should know better when it comes to security.
Read Article >