There is no manual for Dev(Sec)Ops

Robert Finn

Published Nov 19, 2020

Dev(Sec)Ops is a practice. So start practicing.

In speaking with SecOps, Infrastructure and Development teams, the question is where to start or why are we struggling with adopting DevOps? More often than not it's a people, process and cultural challenge, however technology has a role to play. It can help teams talk a common language, i.e. visibility. What do my container environments look like? How is my cloud infrastructure configured? What changes are happening in my cloud assets?

This is a great starting point for any Dev(Sec)Ops initiative, or to restart a stalled initiative. Having this visibility into these dynamic environments can allow Developers to educate Security professionals on the dynamic nature of their build pipelines and can help expose potential security vulnerabilities to the Developers. From here, they agree on what guide-rails to put in place and why (that's another topic about 'shifting left'). This visibility will help up-skill the teams, drive a culture of collaboration and improve the security posture of your application & cloud estate.

Technologies, such as Prisma Cloud, very quickly provide this visibility through a couple of clicks of a mouse.

Add a AWS cloud account to Prisma Cloud (5min video)

Or connect Prisma Cloud Compute to a container registry:

Within minutes you'll have realtime visibility (similar to the image below) into your cloud and workload environments (works for hosts and serverless, as well as containers).

From here your Dev & SecOps teams can observe your environments, the change overtime and the security posture of these assets with insights from the Vulnerability Explorer...

or the Inventory explorer. Only two examples of a number monitoring capabilities in the platform.

If you want to understand more about making Dev(Sec)Ops work, here's some interesting reading for you.

NIST - Application Container Security Guide

DOD Enterprise DevSecOps Reference Design

Prisma Cloud Operationalising Guides

Being KubeCon week in the US, you may wish to register for this upcoming session with Ashley Ward (Technical Director, Office of the Cloud CTO) and Spot covering 'Kubernetes Container Security'.

Or just reach out to me directly.

Robert Finn 5y

If you're interested in seeing how GitLab Inc. HashiCorp and Palo Alto Networks (Prisma Cloud) solve these challenges, register for this upcoming CTO discussion on the 10th Dec https://lnkd.in/dqeeJ4t

Robert Finn 5y

Google Cloud DevOps Essentials training; worth a look https://tinyurl.com/y3dkbnyh

See more comments

To view or add a comment, sign in

There is no manual for Dev(Sec)Ops

Robert Finn

More articles by Robert Finn

Others also viewed

Building code effectively in the cloud

The Architect of Resilience: How One Engineer Redefined the DevOps Standard

Giving your engineering team freedom and speed by trusting nobody

MCP in DevOps & Security: Power, Promise, and Precautions

DevSecOps - Is this a real thing or just another IT buzzword?

DevOps on AWS Series - OpsWorks Introduction

OpenShift with Artifactory: A powerful PaaS with JFrog stack

Observability Defined

Guide: Assessing and Preventing Secret Leakage in Azure DevOps (ADO)

One small step by an SRE can lead to a giant leap in the Business & IT Operating Model.

Explore content categories

More articles by Robert Finn

Let's make securing clouds better

Want to understand DevOps? Start with CAMS

Prisma Cloud Compute 20.12 (aka Twistlock) release

What is DevSecOps? It's time to turn the theory & marketing into practice

What does Gartner say about cloud security?

First came Puppet, then Ansible, now Bolt

What are other companies doing with DevOps?

Puppet Camp Melbourne - the movement is gaining momentum...

State of DevOps Report 2016 - Rob's Summary

Open source v commercial technology in a digital world