On November 29, 2024, MISA representatives shared practical experiences in building a SecDevOps culture to improve information security for organizations at the Workshop "Learn about DevSecOps - Technology and Security Control Solutions" organized by BIDV Insurance - BIC.
The Workshop was attended by leading experts in the field of information technology and information security. On the side of MISA, there were Mr. Nguyen Quang Hoang - Director of Information Security, Mr. Bui Duc Truong - Head of Information Security Department.
Within the framework of the workshop, Mr. Bui Duc Truong - Head of MISA Information Security Department introduced the SecDevOps model, thereby sharing experiences in applying SecDevOps to products to support organizations in raising awareness of information security and safety.
According to Paloalto Network's Common Vulnerabilities and Exposures (CVE) Allocation Catalog from November 2022 to January 2023, vulnerabilities often appear in applications due to unsafe programming. Therefore, organizations need to integrate security into the entire software product development process. Specifically, applying the SecDevOps model to software to accelerate the product development process, minimizing 40-50% of vulnerabilities in source code, according to James Rutt - CIO Insight.
SecDevOps is a development model that combines Security, Development, and Operations, similar to DevSecOps. However, the key difference is that SecDevOps puts security at the forefront of each individual’s mindset and in every step of the software development process. In addition, this model emphasizes the “One Team” working process and culture that helps individuals work closely together to ensure security is prioritized throughout.
To effectively apply the SecDevOps model, organizations need to strictly apply 3 factors: people, process and technology. Regarding people, organizations need to improve the skills of the information security team, connect the Sec team with the DevOps team, and provide programming training and secure deployment. Regarding the process, organizations can apply the Secure – Software Development Life Cycle (SSDLC) product lifecycle model to develop secure software. Regarding technology, organizations can use the following security methods and tools to detect and handle security vulnerabilities: Static Analysis (SAST); Dynamic Analysis (DAST); Interactive Analysis (IAST); Software Composition Analysis (SCA).
According to Mr. Truong, programmers need to be trained in security awareness and safe programming, aiming to prevent vulnerabilities from appearing in later steps of the software development process.
As a leading technology enterprise providing software as a service in Vietnam and the initiator of the CYSEEX Alliance, MISA is committed to accompanying organizations in deploying advanced security solutions, protecting data and information systems from cyber attacks.
Source: https://www.misa.vn/149771/secdevops-model-application-information-security-solution-for-organizations/
Comment (0)