Select Security Tools that Work in an Automated DevOps Workflow
- Make sure you have the smallest images possible. Avoid staging small microservices in a large container image that may have vulnerabilities.
- Create a mission statement around your DevSecOps organization and security, and then pick the tools that align with that mission statement.
“We’ve seen application teams take machine learning algorithms and in a matter of days provide business value that would have taken us months.”
In helping transition the organization’s IT strategy from cloud first to cloud only, Kevin Price’s first security challenge was a cultural one. “The biggest challenge out of the gate was that cloud had a bad name. People didn’t understand it, so automatically if it’s not secure we can’t go there,” he says. But overcoming that challenge led to another, which was finding a way to assure security in an automated, DevOps environment where the old tools no longer worked. “We worked in that traditional way where at the end of a project you run your security components manually and provide the results,” Price explains. “We had a lot of tools that didn’t enable us to automate. There was no way to trigger a security scan automatically. There was no API access or interface. We really had to shift the tools we were using in order to accomplish our goals.”