論點#1:經濟放緩
When the concept of DevSecOps was first introduced, one of the first arguments that companies offered against it was that, instead of encouraging agility, foregrounding security would slow application development down. This can happen, but only if companies don’t sufficiently automate the security code review process. As long as that happens, though, DevSecOps doesn’t actually make application development and deployment slower. It can even be faster than the older DevOps model.
DevSecOps 如何加速應用程式開發過程? 當您建立應用程式並等到最後整合安全元素時,您必須找到一種方法將這些重要元件融入現有基礎架構中。 這就像建造一座塔,然後在完成後嘗試將一根大樑插入中心。 這也許是可能的,但你必須打亂你已經完成的一切。 另一方面,如果您選擇向左移動並邊走邊建立安全性,那麼您最終會得到一個更強大的系統和可以整齊地組合在一起的各個部分。
Argument #2: More Breaches
It may sound ridiculous, but if you talk to some DevOps-focused businesses, you’ll occasionally hear people say that a DevSecOps approach leads to more security breaches, not fewer. Like other assertions about DevSecOps, though, this one is also rooted in serious misunderstandings of the practice. While top DevSecOps users report more breaches than their DevOps counterparts, experts agree that this is only because they’re aware of those breaches, not because they actually experience more of them. DevOps-based companies simply can’t detect security breaches.
Obviously, it’s better for businesses to be aware of potential or actual security risks because that enables them to actually address and remedy their weaknesses, but many businesses are hesitant to admit that they’re at risk. It’s important for companies to acknowledge that DevSecOps enables risk detection, and that acknowledging breaches is less likely to damage a company than being oblivious to digital attacks.
Argument #3: Expensive Implementation
商業慣例的改變可能代價高昂。 無論您是從舊的程序集過渡還是更改編碼語言,任何重大變更都可能導致業務擱置並導致您的企業損失合約和利潤。 當轉向 DevSecOps 時也是如此嗎? 雖然在短期內,支援團隊成員學習新系統可能會阻礙事情的發展,但從長遠來看, DevSecOps 可以最大限度地提高您的投資報酬率。
DevSecOps 方法如何讓您的公司獲得更多利潤? 當然,在重大安全問題發生之前進行預防並在受到攻擊時能夠迅速採取行動在經濟上是有利的,但這並不是唯一的原因。 回想一下上面的論點,DevSecOps 實際上創建了一個更敏捷的系統,該系統的啟動和更新速度比開發營運方法更快。 專家支援還可以幫助企業實現安全基礎設施自動化,簡化耗時且技術含量高的流程。
論點#4:流程孤島
DevOps highlights two main elements of the application creation process – the development side and the operations, or customer-facing, side – but despite the shorthand conjunction of the two, it doesn’t really connect them. A DevOps approach still allows professionals to work within their familiar siloes. Developers build apps that enable smoother operations, and operations teams may provide guidance and feedback, but they don’t really have to work together. That all changes when companies shift-left to DevSecOps, and that’s a key reason why businesses have been reticent to make the change.
一般來說,應用程式開發人員和安全專業人員會分別處理項目,因為安全功能是在編碼過程的後期添加到應用程式中的。 然而,當同時建立基本的開發和安全功能時,這些先前孤立的團隊需要聚集在一起。 為了成功做到這一點,領導階層需要促進團隊之間的溝通並鼓勵交叉培訓。 安全專家可能不是專業的編碼人員,但他們可以為開發人員提供指導。 相反,開發人員需要認識到安全性是功能優先事項。
增加開發人員和安全專業人員之間的溝通尤其重要,因為目前將資訊隔離到孤島的趨勢是造成許多雲端資安漏洞的原因。 事實上,最近的研究表明, 60% 的洩漏事件發生在公有雲端(應用程式的用戶端),原因是部署不當。 在雲端部署方面,開發人員無法做出良好的配置決策,至少在沒有支援的情況下是如此,這使得企業容易受到攻擊。 轉向 DevSecOps 視角可以彌補這一差距,但它也可以提高那些認為自己已經在使用最佳實踐的開發人員的防禦能力。
進入 DevSecOps
These four arguments are just some of the reasons that businesses have been slow to shift-left and adopt a DevSecOps approach, but they’re hardly the only ones. Like so many other changes, companies are resistant to change, even when it’s in their best interest. The problem is that sometimes you have to let go of the old ways in order to be successful.
If your business is stuck in the old DevOps mentality, it’s time to move forward – and Check Point can help. Contact us today for a free security assessment and to learn more about how DevSecOps can benefit your company. Making a big change isn’t easy, but with the right support, you’ll see big improvements.
反映意見