• pgarner18

A Brief Overview of Gartner’s 12 Things to Get Right for Successful DevSecOps: A Study in DevSecOps


"By 2023, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, which is a significant increase from fewer than 30% in 2019."

  1. Your security testing tools and processes should be tailored to developers

  2. Stop trying to eliminate every vulnerability during development

  3. Concentrate on identifying and eliminating known open-source vulnerabilities first

  4. Using traditional DAST/SAST does not mean you won't have to make changes

  5. Developers should be trained in secure coding, but do not expect them to be experts

  6. Create a security champion model and implement a simple tool for gathering security requirements

  7. Secure and apply operational discipline to automation scripts and infrastructure security posture

  8. Strengthen version control for all components and code

  9. Apply secrets management

  10. Develop an immutable infrastructure mentality

  11. Rethink how incidents involving service delivery are handled

  12. Ensure developers have dynamic access provisioning in DevSecOps

Focus First on Identifying and Removing Known Open Source Vulnerabilities:

The increasing reliance on open supply software programs (OSS) impacts changes to security scans and has led to large companies implementing pre-approved feature libraries for reuse throughout DevOps teams. According to Gartner's evaluation, a developer's code makes up less than 10% of the actual application.


Making such a shift to scanning element libraries for vulnerabilities to identify configuration problems can save time and maintain productivity.

Implement Strong Version Control on All Code and Components

Maintaining source code version control throughout your DevSecOps lifecycle is critical if you hope to increase delivery velocity. Distributed version control systems (DVCS) and application lifecycle management (ALM) tools are essential for version control in enterprises.


Use Dynamic Access Provisioning for Developers in DevSecOps

In light of the Cybersecurity Executive Order and the aftermath of the SolarWinds and Codecov hacks, several companies will have to change how they tightly secure their equipment and infrastructure. Chief Information Security Officers (CISOs) and security groups will be searching for ways to shore up the security of software program contract chains, DevSecOps device chains, and other development infrastructure.


Adopt an Immutable Infrastructure Mindset

Containers and microservices are powerful tools for improving software program delivery efficiency. You want to take additional precautions to protect your manufacturing environment. As you update and alter software, your work should now take place in your development environment, not in production. The changes and updates are then automatically installed from a tightly closed repository into your improvement environment through automated equipment included in your DevOps toolchain.



Find the full report at https://www.gartner.com/en/documents/3978490



17 views0 comments