DevSecOps is a "process or mentality" of applying agile methods to security for things IT professionals build, buy or download from open source, said Keith Hoodlet, senior manager of application experience at Thermo Fischer Scientific, during a CyberRisk Alliance eSummit.
“A lot of it, at least today, is like asset management of your stack,” Hoodlet said. “But it can be ephemeral asset management as opposed to the physical devices in your racks that you had to go deal with.”
Hoodlet participated in a CyberRisk Alliance eSummit on DevSecOps with CRA’s Chief Innovation Officer Paul Asadoorian and Chris Blask, global director of industrial and IoT security at Unysis.
Blask offered his take on DevSecOps: “It puts individual thoughts in an order — development, security and operations — and runs them together, so we think about it together. That’s good … They each have a role. They each feed into each other. And we're getting to this point in the industry where the opportunity to merge them for practical purposes is substantial.”
While there are many tools available to help developers with their open-source and container exposure, Hoodlet said people often don’t consider a manifest file for their applications. Open-source platforms such as GitHub’s Dependabot will tell developers if they’re running a vulnerable version of software and what updates are available, he continued. That enables developers to track applications pulled in from core applications, so that I can now track them more readily,” he said.
"It’s not a widely adopted practice," he noted. "I’d say that we’re getting there.”