The Future of DevSecOps: Webinar Recap

Nurit Bielorai
Jun 14 · 4 min read
What is DevSecOps Future?

The relevance of DevSecOps has grown in the past years as companies solidify their move towards automating their software delivery lifecycle, and especially recently in light of several major attacks specifically targeting security gaps within the development process.

Argon Security’s CTO Eylam Milner recently joined a thought-leadership panel to discuss; what is DevSecOps current and future state alongside Aaron Stanley, Director and Global Head of Cybersecurity at Twilio, and Amir Jerbi, Co-Founder and CTO of Aqua Security.

Read below to see some of the top DevSecOps Insights from the session;

The session started with Eylam (Argon) sharing the main findings from the global survey recently conducted by Argon and its implications. The survey revealed that 90% of companies are using CI/CD pipelines tools to develop and deliver software, but that almost all of the security leaders interviewed do not feel confident in the security of these environments. According to these leaders there are several challenges behind their lack of confidence, but the main reason is the lack of collaboration between the security and DevOps team. Other challenges mentioned were the vast use of open-source software, the amount of CI/CD tools, the complexity of the development environments, and the lack of adequate security tools to answer those challenges.

We also heard the perspective from the run-time side; Amir (Aqua Security) discussed how developers have more responsibility and power now than ever before. While programming remains at the core of their role, now they are also responsible for testing, scalability, and performance. At the same time, speed and agility is expected of them; while in the past companies used to run a few software rollouts per year, now they’re running a few per minute. This is the main reason behind the push to automate devops processes and use of open-source tools and packages; and although these changes allow teams to develop software faster, they significantly increase the exposure of the company to vulnerabilities and possible backdoors. 

Aaron (Twilio) gave us his input on some of his main concerns as someone who prioritizes security needs at a multinational software company. First, source code is not isolated within source control management systems only, so it’s necessary to be able to trace the code, understand who has access to it, and what they can do with that access. Second, the recent cyberattacks have shown us that code tampering and malicious injections are becoming more common and are not easy to detect. Aaron raised his main concern as a question, “Will I know if it happens to me? Do we have the data, logging, and forensics to answer that question?”. In the discussion Eylam touched on this risk as well, by mentioning that the recent CI/CD pipelines breaches affected not only the company breached but also the company’s customers, which is raising the stakes of not applying strong pipeline protection. 

We also discussed the concept of DevSecOps, and what is best way to implement it. Aaron’s perspective was that, more than anything, DevSecOps is a philosophy. He elaborated that the core of DevSecOps is not the implementation of automation and security tools, but the binding logic and cooperation between development, security, and operations specialists. Focusing on this collaboration will create the position that will set up the processes and tools, and orchestrate the security activities and people. 

The session concluded with the panelists sharing their main advice to other Security and DevOps leaders moving forward:

  • Secure-by-design and inject security automations early enough within the development cycle so that you’re able to see, craft, and push towards secure delivery outcomes.
  • Focus and stay on top of the basics; having visibility over the tools, dependencies and code running within your DevOps processes, access management, and tightening of pipeline configurations. 
  • Invest in establishing a common language between security and DevOps teams, and make sure that the tools and services you’re using don’t hurt your build and run environments. 
  • Find a balance that enables you to maintain speed and enforce security on your development process, making sure that the tools and services you are using don’t hurt or impact your build and run environments. 

In summary, the world of software development has gone (and will continue to undergo) through significant changes; developers have more responsibility and power than ever before, and they rely on automated processes, tools, and packages to meet the speed and agility standards that are expected of them. At the same time, this has opened up a new attack vector that companies need to prioritize; development environments and specifically CI/CD pipelines are attackers’ newest entry point of choice. This is mainly because companies lack visibility and control over their pipeline’s infrastructure, process, and source code. 

Argon’s solution connects to development environments and tools, and protects the entire CI/CD pipeline from code manipulation, misconfigurations, code leaks, and vulnerabilities. It enables smooth AppSec orchestration by providing unified visibility, security, and integrity throughout the build, test, and deployment stages. Argon secures the entire software delivery pipeline, from commit to release, effectively sealing gaps and preventing supply-chain attacks like SolarWinds and Codecov.

DevOps, DevSecOps, CICD security, DevOps Security, AppSec, SolarWinds, CodeCov

Nurit Bielorai
Jun 14 · 4 min read

Related Articles

Securing your GitLab: Best Practices To Implement

What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…

Eylam Milner
Jul 14 · 4 min read

President Biden’s Executive Order Demands Cybersecurity for Software...

The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…

Eran Orzel
Jun 23 · 5 min read

The importance of having visibility over your pipeline’s plugins...

Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…

Eilon Elhadad
Jun 21 · 4 min read

End-to-End CI/CD Security Platform

open source vulnerability scanner