Ask three people what SecOps is and chances are you’ll get three different descriptions:
- It’s a team
- It’s a job title
- It’s a methodology
All of these definitions are, in fact, correct. Smaller companies may implement a SecOps methodology where everyone is a security ambassador, whereas larger companies with more personnel can assemble an entire team and designate specific SecOps job titles. Whichever is the case for you, there are five ingredients that must be part of any successful SecOps implementation. Read more “The 5 Ingredients of a Successful SecOps Implementation”
At Threat Stack, we’ve been a SecOps-oriented team from day one. This means our developers, operations, and security practitioners all work together to make sure that every line of code we release is secure. It’s how we eat our own dogfood.
But we know that getting started with SecOps isn’t always easy, especially since little has been said so far about the practicalities of how security and operations can come together to enable SecOps.
Pete Cheslock, our Senior Director of Operations and Support, has been on the frontlines of SecOps for much of his career, so we decided to spend some time quizzing him about the practical aspects of getting a SecOps program started. Read more “Will SecOps Finally Close the Security and Operations Gap? A Q&A with Pete Cheslock”
The Threat Stack SecOps Playbook is now available!
Why We Created a SecOps Playbook
I have experienced the transition to SecOps up close and personal. I’ve led teams in figuring out how to get security practitioners and DevOps teams in sync and in harmony. Along the way, I’ve learned a number of valuable lessons that can be extended to any team that is thinking about bringing security deeper into the DevOps process.
Last week, we released Part 1 of a two-part series on the low-hanging security best practices companies can implement to improve their security posture. Since security is no longer just the domain of the security experts, it’s important that everyone within your organization feel empowered to uphold security best practices regardless of their role.
This series is designed to give organizations a “starting point” on the security journey by identifying low-hanging fruit that can be picked off to gradually improve security. In Part 1, we explained the four security tools and services we recommend getting startedwith, and in this post we uncover the next set ofrecommendations, which can take you from level one to level two, so to speak.
If you look at how and when different companies implement security, it’s clear the approach runs the gamut. Some go all in from day one while many others wait until the need is on top of them.
Of course, companies who get security off the ground as early as possible have many advantages, but that can be a daunting undertaking. This especially rings true in organizations that don’t have security pros on staff.
No matter where you are today, there are steps you can take to get more secure. And rather than succumb to analysis paralysis, it’s a good idea to just bite off what you can chew and start somewhere. So… where to start?
Read more “Cloud Security: Where to Get Started, Part 1”
It won’t be long before network perimeters are a thing of the past. As companies continue to adopt the cloud, either going all-in or operating in hybrid mode, the familiar perimeter starts to disappear.
Read more “How to Monitor Network Activity When Your Infrastructure Lacks an Edge”
You’re a week into your new job and a colleague shouts out across the room before a big deployment: “Hey John, you’ve got security covered, right?” You rush over to your good friend Google for a few quick ideas on implementing security best practices into DevOps and timidly shake your head “yes” at your colleague.
Read more “How to Create a Security-Minded DevOps Organization: Three Best Practices”
A recent Motherboard article caught our eye and got us thinking about who is — and who should be — responsible for security in an organization. The article, titled “We Need to Change the Psychology of Security,” makes the argument that, by treating security as a specialization that belongs only to a few people in an organization (the security team), we are crippling our ability to successfully achieve security at scale.
The author, Adrian Sanabria, makes some excellent points. After reading the article, we wanted to share some actionable ways that organizations can go about deputizing their employees as security ambassadors.
It’s every executive’s worst nightmare: becoming the next Target- or Anthem-style data breach headline. But aside from just hoping and praying that you won’t be the next victim, you can take some very practical and actionable steps to keep your organization safe and to ensure that, if you are breached, you’ll know right away.
Read more “5 Tips for Reinforcing Your Organization’s Cloud Security”
Unless you’ve been living under a rock (or don’t work in the tech industry), you’ve probably heard the term DevOps thrown around. A mashup of “development” and “operations,” DevOps is a mindset and set of practices that focus on collaboration and communication between software developers and other IT professionals with the goal of automating both software delivery and infrastructure changes.
Read more “How to Apply DevOps Culture to Security & Why You Should Do It”