A Brief Overview of Gartner’s 12 Things to Get Right for Successful DevSecOps: A Study in DevSecOps
"By 2023, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, which is a significant increase from fewer than 30% in 2019."
Your security testing tools and processes should be tailored to developers
Stop trying to eliminate every vulnerability during development
Concentrate on identifying and eliminating known open-source vulnerabilities first
Using traditional DAST/SAST does not mean you won't have to make changes
Developers should be trained in secure coding, but do not expect them to be experts
Create a security champion model and implement a simple tool for gathering security requirements
Secure and apply operational discipline to automation scripts and infrastructure security posture
Strengthen version control for all components and code
Apply secrets management
Develop an immutable infrastructure mentality
Rethink how incidents involving service delivery are handled
Ensure developers have dynamic access provisioning in DevSecOps
Focus First on Identifying and Removing Known Open Source Vulnerabilities:
The increasing reliance on open supply software programs (OSS) impacts changes to security scans and has led to large companies implementing pre-approved feature libraries for reuse throughout DevOps teams. According to Gartner's evaluation, a developer's code makes up less than 10% of the actual application.
Making such a shift to scanning element libraries for vulnerabilities to identify configuration problems can save time and maintain productivity.
Implement Strong Version Control on All Code and Components
Maintaining source code version control throughout your DevSecOps lifecycle is critical if you hope to increase delivery velocity. Distributed version control systems (DVCS) and application lifecycle management (ALM) tools are essential for version control in enterprises.
Use Dynamic Access Provisioning for Developers in DevSecOps
In light of the Cybersecurity Executive Order and the aftermath of the SolarWinds and Codecov hacks, several companies will have to change how they tightly secure their equipment and infrastructure. Chief Information Security Officers (CISOs) and security groups will be searching for ways to shore up the security of software program contract chains, DevSecOps device chains, and other development infrastructure.
Adopt an Immutable Infrastructure Mindset
Containers and microservices are powerful tools for improving software program delivery efficiency. You want to take additional precautions to protect your manufacturing environment. As you update and alter software, your work should now take place in your development environment, not in production. The changes and updates are then automatically installed from a tightly closed repository into your improvement environment through automated equipment included in your DevOps toolchain.
Find the full report at https://www.gartner.com/en/documents/3978490