What you otherwise do once a week manually you might now do 100 times a day with automation
Imagine your organization wants to embrace higher velocity deployment, and ultimately achieve a full stack engineering model reflective of DevOps patterns and practices. A common oversight I see in organization’s is the quote I re-read from Mirco Herring. What your organization does today must scale, but what does that mean?
Here is what it means from a security operators perspective:
- Verification engines must assess for high quality code, compliance verifications of business requirements, dynamic and static scanning, and all of the integrity checks along the road must now occur now 1x per build (monthly?), but perhaps daily (30x a month)
- All of the systems need to be built everytime, queued everytime, and bits & bytes consumed to achieve the above activities of #1
- Sign-off of findings, tickets created, workflows activated to loop back to engineers any findings, and all less than 24 hours (< 12 hours to hit a “B” score.
Now the twist, as Mirco highlights, can the…
- infrastructure handle the increased volume?
- do we have the licenses to run that many simultaneous activties?
- where are the human choke points (does a human provision the tool, sort the data, create the tickets, verify the tickets, etc…)?
- quality of these checks under automation to be effective in identifying and efficiently leading to code improvement?
Most organizations have more than 1 group developing, so as you grow the team size the impact becomes even more a severe steep climb – 1,000 apps? 2,000? 3,000 apps?
How are you handling these growth curves internally to enable and allow the growth instead of becoming the department of NO or “we didn’t have time to..”