There seems to be a consensus amongst industry press and analysts that one of the main themes coming out of this year’s RSA Conference 2020 in San Francisco, California, is around DevSecOps, including this one article claiming it was the backbone of the show. In case you are not familiar with term, DevSecOps refers to the need to focus on security during the development and operations planning part of web applications, in other words start thinking about security at the beginning of your web application development, rather than waiting to implement security when you are in production.
During the RSA Conference, I had the opportunity to attend a briefing given by ESG (an industry analyst group), and one of their research areas and focus for 2020 is also around DevSecOps. While I agree the earlier you start thinking about and incorporating security into your planning process, the better, I am worried that organizations may consider this a zero sum game, and move budget away from operational security to development security.
With this concern in mind, I asked the analysts at ESG, including Doug Cahill and Jon Oltsik if they thought the new spotlight on DevSecOps would take away from spend and focus on security spend and development in production environments. Cahill’s immediate response was that it should not, as it is still as relevant as ever, and if anything a focus on DevSecOps should mean an increase in security needs during production.
The real issue here is that no matter how much security you put into the development process, there’s no guarantee you’ll have found all the vulnerabilities in your code, or the 3rd party and open source code you are using in your application. Run-time security is really the only way you can be sure to protect your organization’s assets given the likelihood there is a vulnerability in your application, no matter how much effort you spend in development to reduce the possibility.
That is why it is more important than ever for organizations to have a run-time security solution that validates the application execution and alerts to attacks in real time. If you haven’t looked into K2 Cyber Security’s next generation workload and application protection platform, request a demo today, and let us show you how you can get protection against zero-day attacks with no false positives for your web application and container workloads.