DevSecOps Transformation The New DNA of Agile Business Why DevOps Is a Big Deal Businesses are under increasing pressure to adapt quickly to customers through multiple digital channels. Firms with high-performing IT organizations are twice as likely to beat profitability, market- share and productivity goals. 3 Digital transformation and Agile or continuous development are key to customer satisfaction and long-term profitability. 2 56% think they are not prepared for the change. 1 87% of executives believe digital transformation will disrupt their industries. What Is the Problem for InfoSec? How Security Teams Can Fix the Problem DevOps produces apps and changes too quickly for InfoSec to keep up. Most DevOps code is created for web applications. 40% of data breaches involve attacks on web applications. 6 InfoSec must find a way to keep up. InfoSec does AppSec testing at 83% of organizations. 4 Traditional analysis, reporting and remediation can take longer than development. Only 17% of InfoSec organizations can keep up with Agile or continuous development. 5 COMPARE Traditional Development 9-to-12-month AppDev cycle Large release Manual deployment DevOps One-day cycle time Small, low-risk releases Automated deployment High-performing (DevOps-enabled) Organizations Deploy 200x more often 200x Recover from deployment failures 24x faster 24x Spend 22% less on unplanned work 22 % Spend 29% more time on new work 29 % Fail one-third as often 1/3 Seven DevSecOps Imperatives: 1 Embed automated tests and validation of controls into the deployment cycle. 2 Inventory and analyze reusable code to avoid reintroducing flaws. 3 Monitor code and results continuously in production. 4 Create “triggered” responses that can roll controls back to a known good state if there’s a problem. 5 Evaluate AppSec tools for DevOps capabilities and automation; replace them as needed. 6 Align and coordinate with Dev, Sec and IT Ops teams, and keep communication constant between them. 7 Commit to a culture of process descriptions, automation, continuous monitoring and remediation. 1 MIT Sloan Management Review 2016 Digital Business report; http://sloanreview.mit.edu/projects/aligning-for-digital-future/ 2 “Digital Transformation in the Age of the Customer,” Accenture; www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Digital_2/Accenture-Digital-Transformation-In-The-Age-Of-The-Customer-Infographic.pdf 3 “State of DevOps 2016,” DevOps Research and Assessment https://continuousdelivery.com/evidence-case-studies/#research 4 SANS 2015 State of Application Security: Closing the Gap; www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942 5 “IT Speed: The Crisis and the Savior of the Enterprise,” A Forrester Consulting study commissioned by Chef, December 2013 6 2016 Verizon DBIR Visit the SANS Analyst Reading Room. www.sans.org/reading-room/whitepapers/analyst SPONSORED BY