https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • Analytics
    • Artificial Intelligence
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel 101
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Diversity & Inclusion
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
    • Back
    • 2021 MSP 501 Application
    • 2020 MSP 501 Rankings
    • 2020 Hot 101 Rankings
    • 2020 MSP 501 Report
  • Intelligence
    • Back
    • Our Sponsors
    • From the Industry
    • Content Resources
    • COVID-19 Partner Help
    • Galleries
    • Podcasts
    • Reports
    • Videos
    • Webinars
    • White Papers
  • EMEA
  • Awards
    • Back
    • Excellence in Digital Services
    • 2021 MSP 501
    • Top Gun 51
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
    • Channel Evolution Europe
    • Channel Partners Event Coverage
    • Webinars
  • Channel Mentor
    • Back
    • Channel Market Intelligence
    • Channel Educational Series
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • Analytics
    • Artificial Intelligence
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel 101
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Diversity & Inclusion
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
    • Back
    • 2021 MSP 501 Application
    • 2020 MSP 501 Rankings
    • 2020 Hot 101 Rankings
    • 2020 MSP 501 Report
  • Intelligence
    • Back
    • Our Sponsors
    • From the Industry
    • Content Resources
    • COVID-19 Partner Help
    • Galleries
    • Podcasts
    • Reports
    • Videos
    • Webinars
    • White Papers
  • EMEA
  • Awards
    • Back
    • Excellence in Digital Services
    • 2021 MSP 501
    • Top Gun 51
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
    • Channel Evolution Europe
    • Channel Partners Event Coverage
    • Webinars
  • Channel Mentor
    • Back
    • Channel Market Intelligence
    • Channel Educational Series
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Digital Service Providers
  • Cloud Service Providers
  • CHANNEL PARTNERS ONLINE
 Channel Futures

MSSP Insider


Shutterstock

Data center security

Why Infrastructure Security Is Key to DevSecOps

  • Written by Don MacVittie
  • January 9, 2019
Making the move to DevSecOps is essential, even if it will be painful.
Ingrained Technology's Don MacVittie

Don MacVittie

There’s been a lot written about DevSecOps of late, in a general sense and in terms of MSSPs. We have a pretty good idea of how to start integrating security into DevOps, and what challenges this transition will have. Less so for service providers, but much of what is written for enterprises also applies to service providers.

In short, it’s a tall order and a long path. Even so, InfoSec has been short of people (let alone quality candidates) for years, so the increasing burden that agile methodologies and DevOps have placed on traditional security shops means making the move to DevSecOps is essential, even if it will be painful.

But there is a catch. There are precursors to DevSecOps that far too many shops – particularly MSSPs because of the breadth of their business – are behind on. Locking down the infrastructure that houses DevOps functionality is imperative. While the frequency of deploys has grown, so has the number of targets that are deployed to. Rapid changes present a security challenge, particularly when they change the underlying infrastructure by needing new ports open or using a new version of a library/module. And new targets have new security requirements. Locking down public cloud instances may share a little bit with locking down containers, but not much. Additional bells and whistles available with cloud services (be they public, private or internal) offer more confusion.

If an organization can’t protect its source code management (SCM) repositories, and can’t protect its continuous integration (CI) or release management tools, then protecting applications through DevSecOps is moot. This is a thousand times true for service providers, where it’s not just the organizations’ own systems at risk, but — through shared code — each clients’ systems as well.

Illegal access to an SCM is a disaster-level event for a service provider, and one we all recognize well. But it seems that awareness of the same issue with regards to CI systems lags behind. Simply put, if a ne’er-do-well can load modules in Jenkins, everything that passes through that CI system is suspect, making extreme steps warranted to block unauthorized access to Jenkins in any environment. But in a service provider environment, one code insertion to the self-service app could undermine the entire customer base.

Potential Service Provider Fixes

What can be done? Well, there are some quick-hit easy steps that service providers should take to start down the path of ensured infrastructure.

    • First, if you are one of the (small, but due to agile/DevOps, unfortunately increasing in number) shops that allows changes in production, stop. Emergencies will always leave the door open to a change in production, but in general these should be extremely limited.
    • Next, do a check-out, build and compare to production on a regular (at least daily) basis. Bowker Identifier Services recently had a code insertion issue that would have been detected on day one, were this simple process in place (yet another disclosure: It is possible the author knows about the Bowker compromise very firsthand). Instead, it was six months of their customers’ data being stolen and customer credit cards sold on the dark web. Validating that the code running is the code intended and reporting the differences allows valid, in-production changes to be captured for insertion back into the DevOps process, and allows security to …
  • Page 1
  • Page 2
Tags: MSPs Business of Security Cloud and Edge MSSP Insider

Related


  • Malware alert
    It's Raining Malware: Understanding and Protecting Against Today's Threats
    From using VPNs to heightened security awareness, companies must work harder to stop attacks as people work from home.
  • Threat protection
    Critical Threat Protection Steps MSSPs, Other Partners Must Take Now
    In this second installment in our series on threat protection, vendors discuss what partners have to do this year.
  • Zero Trust Security
    3 Strategies for Selling Zero Trust in the Channel
    Switching to a zero-trust security approach reduces exposure to potential data breaches and helps drive down fixed costs.
  • Malicious hacker group
    BlackBerry Research: MSSPs Increasingly Targeted by Hacker-for-Hire Groups
    The cybercrime industry has adapted to new digital habits.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Despite SIEM Software Adoption, Threat Coverage Comes Up Short
  • Secureworks Debuts New MSSP Partner Track, Analytics Platform
  • Cybercriminals Now Targeting Unemployment Benefit Claims
  • How Ransomware Is Accelerating in the COVID-19 Era

Galleries

View all

From The Second City: How to Use Improv as a Business Tool

March 3, 2021

Industry Perspectives

View all

5 Ways XDR Can Improve Operational Efficiency for MSPs

March 4, 2021

Multi-Cloud: Strategy or Inevitable Outcome? (or both?)

March 3, 2021

Backup Vulnerability: 4 Targets Hackers Might Utilize to Infiltrate Your Backup Solution

March 2, 2021

Webinars

View all

A Partner’s Perspective on Channel Success in 2021

March 23, 2021

XDR and Why it Matters to MSPs

March 24, 2021

Top Security Trends Impacting Technology Security Providers In 2021

March 25, 2021

White Papers

View all

Why Fortinet for my MSSP?

March 2, 2021

Small and Mid-Size Business Security: 4 Steps to Success

March 2, 2021

How SMBs Can Secure Endpoints and Remote Workers for the Long Haul

March 2, 2021

Upcoming Events

View all

Channel Partners Conference & Expo

November 1, 2021 - November 4, 2021

Videos and Fastchats

View all

FASTCHAT: How SOAR Eliminates Security Challenges and Elevates Service Provider Revenues

January 6, 2021

Happy Holidays from Channel Partners & Channel Futures!

December 21, 2020

FASTCHAT: How Old, Unpatched Technologies Are Creating New Security Threats for MSPs and Their Customers

December 3, 2020

Twitter

ChannelFutures

.@okta acquiring rival @auth0 in $6.5 billion all-stock transaction. #security dlvr.it/Rtzwdp https://t.co/4LvHCJuwsR

March 4, 2021
ChannelFutures

.@MicrosoftTeams features are coming to @MSFTDynamics365, the company announced at @MS_Ignite. #MicrosoftIgnite… twitter.com/i/web/status/1…

March 4, 2021
ChannelFutures

.@PreciselyData acquired by Clearlake Capital, @TAAssociates. #digitaltransformation dlvr.it/RtzbKg https://t.co/1rNYnTScxq

March 4, 2021
ChannelFutures

Thanks for attending #CPVirtual. Here's a Day 3 wrap and a look ahead to #CPExpo Homecoming in November!… twitter.com/i/web/status/1…

March 4, 2021
ChannelFutures

.@Veeam announces six annual Impact Partner Awards, with @SHI_Intl, @LogicalisUS, more. #cloud… twitter.com/i/web/status/1…

March 4, 2021
ChannelFutures

#XDR can improve operational efficiency for #MSPs. @TrendMicro #security #endpoint #AI #threatintelligence… twitter.com/i/web/status/1…

March 4, 2021
ChannelFutures

.@IBM adds two senior execs to leadership team at infrastructure IT spinoff, NewCo. @IBMNews @IBMPartners… twitter.com/i/web/status/1…

March 4, 2021
ChannelFutures

RT @ChannelEurope: Craving more #EMEA news? Get the latest headlines, insights and commentary in EMEA directly to your inbox. Subscribe to…

March 4, 2021

MSSP Insider

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Channel Partners Online

Want more? Find more channel news and analysis on our sister site, Channel Partners.

Media Kit And Advertising

Want to reach our audience? Access our media kit

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Online
  • Channel Partners Events
  • MSP 501
  • MSSP Insider
  • IoT World Today
  • Webhostingtalk

WORKING WITH US

  • Contact
  • About us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X