How Security Can Enable Cloud & DevOps Adoption
Oct 10, 2019
TauruSeer COO & Co-Founder, Alex Borhani, attended Data Connectors Cybersecurity event in Jacksonville, highlights what it takes for security teams to enable Cloud, new technology, and Secure DevOps processes.
JACKSONVILLE, FL - October 10, 2019 - TauruSeer at the
Jacksonville Cybersecurity Data Connectors Conference, participated on the ending keynote CISO panel. Alex had a strong message for the audience; "you must be constantly adopting new technologies and processes to keep pace with your competition or you will die a slow death. And, security must not be the inhibitor. Cloud and DevOps is how companies are modernizing and transforming."
Here is a quick summary of what was covered in Alex's responses about cloud, DevOps, and risk management in digital environments:
- Work as a Team—start the conversation and bring key stakeholders from security, IT, and software development together. Currently, they are still working in silos, with conflicting incentives and priorities. Successful organizations focus on partnerships to enable employee engagement, communication, and collaboration between teams. Security is a shared responsibility of the entire IT organization, especially during the development process to maintain quality, productivity, and speed to market.
- Modernize Enterprise Compliance and Governance—still one of the top challenges faced in every DevOps implementation. How do you enable a secure culture to mature the implementation to Secure DevOps where employees drive a culture of innovation that consists of openness, transparency, ownership, and accountability. Implementing a policy-based, automatic prioritized remediation at enterprise scale is necessary the faster the digital economy becomes. For example, changes in the environment, like configuration of a security tool or system, should be alerted and monitored through remediation to standard operating procedures.
- Seek Shared Objectives Between Technology and Business Leaders—business executives need clarity and understanding about building security into every process and maintaining products from release and maintenance to end-of-life. Things beyond cloud security—like effective prioritization based on actual risks, technical debt, Shadow IT, people and process, patching, etc.
- Standardize Processes, including Release Management—having the teams evolve to integrating Security Tools, (SAST/DAST/IAST) into standard processes to securely operate at the same speed of modern product development. It starts with addressing systemic challenges of risk through best practices, continuous monitoring, and vulnerability mitigation at the software level to eliminate waterfall security gates, not just the traditional focus at the systems and perimeter.
- Champion Visibility & Awareness—You can't protect what you can't see. When you truly take a step back and think logically about it; you can address systemic operational challenges by focusing at core problems, which, visibility and awareness across the environment finally becomes feasible. Measure and monitor what is running and where with real-time monitoring for vulnerabilities and remediation of those vulnerabilities.
- Integrate Tools & Automation Where Possible—With automation, tedious facets of security and DevOps to allow for actionable insights becomes easy, identifying risk across security, operational performance, and compliance, proving security that allows developers to move faster and security leaders to sleep at night in confidence.
- Evaluate Third-Party Risk Management Differently—Questionnaires vs. REAL Due Diligence and Continuous Vetting, Risk Rating & Cyber Liability Insurance—Vendor risk management programs were a big topic as there's not been much transparency around third parties and if they have adequate controls for business continuity management, performance, viability, reliability, security, and data protection. Who is liable? How do you mandate a REAL due diligence process and continuous vetting as significant performance, audit-related, and, for some industries, regulatory repercussions, can undermine shareholder value and corporate viability. Also, Cyber Liability Insurance sometimes will not cover risks related to regulatory compliance, information security, and performance that arose from vendors if an organization's Third-Party Risk Management Program isn't mature and isn't increasing the resilience due to reliance on service providers and IT or software vendors. Solutions must have capabilities risk assessment to risk monitoring and risk rating.
- Implement Code Ownership as Security Artifacts—Establishing the discipline of 'Code Ownership' by having developers start the process of signing and time stamping code as it is checked in allows detailed insight of source code history, code commit owners, and when changes checked in to track potential code security or suspicious code commit activities. Many times, without this practice, supply chain compromise activities can occur, for example, malicious code being placed into the source code repository.
- Rethink Web Application Firewall in Modern Product Delivery—Web Application Firewalls (WAF) were everyone's friend, so long as they were tested, configured correctly, and maintained. But, WAFs were purpose- built for monitoring the perimeter, not application based protection. With the move to the perimeter disappearing with cloud-native SecDevOps, WAFs struggle to stay relevant. Finally, given the historically contentious relationship between engineering and security teams, leaders need a better way to unite SecDevOps teams to secure the environment. We saw this happen with Capital One a few months ago.
SHARE!
More news and blogs
Start Left Security, a pioneer in the product security / cybersecurity space has been selected to participate in the Microsoft for Startups Pegasus Program
Gula Tech Adventures, Lytical Ventures, and Dasein Capital lead Seed investment in Start Left™ Security, supported by other strong investors: DeepWork Capital, Florida Opportunity Fund, and Bootleg Advisors. JACKSONVILLE, FL, June 27, 2023—Start Left™ Security, powered by the patented Tauruseer Application Security Posture Management (ASPM) Platform and SPACE™ Behavioral Analytics, today announced that it has oversubscribed and closed $3.0 million Seed financing led by notable cybersecurity, data analytics, and artificial intelligence (AI) venture capitalists and industry experts. This demonstrates the market’s confidence in Start Left™ Security's vision and its ability to deliver innovative solutions that address evolving security threats.
Introducing Start Left™ Security: Embracing a New Name, a New Perspective in Security
Achieve SOC 2 Compliance and Security Posture Management Maturity with Minimal Spend Leveraging Tauruseer's differentiated Cloud-Native Application Protection Platform (CNAPP): Security Posture Analytics + Cognition Engine (SPACE ™ ), Purpose-Built for Growth SaaS Startups and Small to Midsize Businesses.
Designed to enable cloud-native innovators to quickly scale, become enterprise-ready, and transact on the Azure marketplace.
“ Cloud security posture (CSPM) incumbents launched traditional approaches leaving huge gaps, as they don’t understand the needs of modern DevOps pipelines or developers.
Business Leaders: Is your DinoCISOaur holding your company back, slowing innovation, upsetting developers, and placing business at risk?
JACKSONVILLE, FL, June 9, 2020 – Tauruseer is the proud official presenting partner for SAE International's 2020 Government and Industry virtual conference! This conference is an opportunity to explore how technology, regulations, and legislation will affect the design of aerospace and defense solutions in terms of software, hardware, and product integrity. Tauruseer co-founders have been invited to present at the SAE G-33 to the entire Configuration Management Committee on how a model-based enterprise, adopting concepts such as " Shift Left ", the Product Centric Risk Model ™ , Inventory of Intelligence ™ , Centralizing Monitoring , and Continuous Assurance drives the way DevOps is supposed to be. Tauruseer will demonstrate what true DevOps looks like and how Tauruseer's platform can provide demonstrable evidence of DevOps done right. Furthermore, they will walk through how Continuous Assurance enables organizations to fully embrace DevOps through holistic change, resulting in quantifiable benefits: Enhanced Situational Awareness across product portfolio Enterprise Visibility (human, product, and process threats) Efficiency gains (productivity on the right things) Decreasing costs (intentionally designed controls) Reduced complexity (robust decision support) VERIFIED Governance, Risk, and Compliance "GRC" (Continuous Assurance) Tauruseer will highlight real-world examples that shine a light on how technology that we depend on everyday can make a difference between life and death. While DevOps seeks to balance throughput, stability, quality, and speed, Tauruseer assures organizations there is not compromise in security, performance, and compliance while doing so- especially when lives are at stake. Sharing stories enables better collaboration when standards, regulations, and legislation needs updating to align with continuously evolving product development practices. JOIN THE CONFERENCE! TAURUSEER PRESENTATIONS TIME: 1:55pm EDT TOPIC: Software SecDevOps and Configuration Management (CM) – Understanding the Challenges Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani TIME: 3:10pm EDT – 4:00 pm EDT TOPIC: Software SecDevOps and Continuous Assurance (CA) – Achieving Management’s Goals and Continuous Improvement through appropriate Configuration Management (CM) Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani Virtual Details: WebEx G33 Meeting Meeting number: 622 476 853 Meeting password: June2020 Call-in number: 1-866-469-3239 INFO: SAE International's G33 standards are adopted and enforced by NATO, NASA, FAA, DOE, DOD, aspects of the European Union, and the European Space Agency for large federal suppliers contracted to provide tamper-proofed audit trails, traceability, and trusted reporting of managed compliance as it relates to Software Configuration Management and Continuous Assurance. Visit Tauruseer's website and ask for a demo to showcase a variety of GRC for DevOps use cases: Proactive Security Continuous Compliance Conduct & Culture Insider Threat Reporting
Part 1 in this series: “ Risk Enabled Growth: Business Strategies to Leveraging Risk & Capitalizing on Digital Growth Opportunities " included the perspectives of cybersecurity and integrated risk management expert Jeff Sauntry of Risk Neutral, privacy, risk, and compliance experts Rob Harvey and Greg Kraft of Online Business Systems, and business strategy, product innovation, and product security expert Jeremy Vaughan from Tauruseer Inc. Watch if your role involves: - Maximizing value creation achieved at the synergy of talent, tangible, and intangible assets - Enabling trusted digital experiences for employees, partners, and customers - Oversight for Strategic, Operational, Financial, Compliance or Reputation Risk as part of your organization's 3-Lines of Defense (3LoD) - Mitigating the potential disruptive impact of events and unlocking the economic potential of your organization's resources and assets
Start Left™ Security is committed to equipping product teams with the tools they need to excel in delivering world-class software while propelling the careers of developers forward. Our AI-powered SaaS platform, backed by multiple patents, offers a robust suite of capabilities spanning software supply chain security, product security, security posture management, and secure code training in a gamified DevSecOps experience.
