Security’s Case Against ‘Cloud-Native DevOps’

Episode 386 · November 27th, 2018 · 24 mins 12 secs

About this Episode

The whole point of the movement-within-a-movement that Utsav Sanghani, Senior Product Manager for Desktop and AppDev Security for code security platform provider Synopsys, calls “DevSecOps,” is to engage information security professionals in the task of automating enterprise processes.  That engagement requires a shared understanding among all departments of the infrastructure with which applications and critical functions are being hosted.

That knowledge is cast to the wind, suggested Sanghani in an interview for The New Stack Makers, when an organization opts to host its applications on a cloud-native platform, and then attempt to leverage DevSecOps to secure it.

“Let’s assume that your production builds are happening in the cloud,” said Sanghani.  “You’re working for a big financial institution.  As part of your production builds, you’re running scans using market-leading tools like, let’s say, Synopsys’ Coverity.  As part of that, if at any point something were to leak out that this application has a high-security CSRF issue with it, that’s going to be a PR nightmare for that big financial institution.