What Is DevSecOps, and Why Is It Important to Security? – Interconnections – The Equinix Blog
Organizations aren’t the only ones who can “shift left.” As the threat landscape goes, cybercriminals follow suit by targeting developers and their build systems as entry points for attack campaigns against infrastructure-as-code (IaC) deployments, Kubernetes environments, and supply chains.
So, who is responsible for security? The reality for end-users is that there is only so much they can do with the built-in security measures an app/product has. This gives developers the de facto responsibility to secure the software they build and maintain, and thus are accountable for it. However, security teams are also responsible for providing that guidance to developers in protecting their software.
It should be embedded in the culture that developers see themselves as part of the security solution by putting even more care into their coding practices. This cultural shift should mean fostering an environment that allows them to do just that. It all boils down to team collaboration; after all, we all just want secure, reliable products.
Secure Software Development Life Cycle (SSDLC) at Equinix
In the ongoing concerted efforts by Equinix to shift security left, we’re driving increased collaboration between developers, operations, and security teams through a program called NEXTcode, which is a company-wide effort to incorporate security into every phase of the software development lifecycle and its infrastructure, enabling the necessary security tools for scanning and remediation, as well as provide secure coding training, support, and guidance if they need it.
Security in DevOps
The NEXTcode Developer Security Certification program is aimed at training and enabling the developer to use secure coding practices as well as establishing an ongoing education and hands-on training platform to support the needs of our developer community. The first phase of this program focused on the OWASP Top 10, which provides a deeper understanding of the most critical security risks facing web applications today, followed by secure coding and code repository best practices.
Furthermore, our global cybersecurity awareness program allows developers to take advantage of resources and training available to tackle secure coding concepts and practices, including code reviews/scans and capture the flag (CTF) games.
We see training as necessary in of security disciplines in application development, adhering to standards, and practicing security fundamentals such as:
- Understanding the shared responsibility model
- Adopting the principle of least privilege
- Having the knowledge to remediate code findings if they occur
- Understanding the developer’s responsibility toward open-source code
We continue to make strides in innovating and securing our infrastructure to ensure we’re giving the most reliable and scalable services to our customers — and that includes equipping developers and security teams to be key figures in building software- and security-defined products. This move toward SSDLC is important in supporting Platform Equinix and collaborating with enterprise customers to securely drive their digital infrastructure projects.
Learn more about making digital infrastructures future-ready in the Platform Equinix Vision Paper (PEVP).
We discuss more of how organizations can prevent security risks and secure their digital infrastructures from attacks in our blog post on zero trust security and zero touch security.
Thanks to Alex Armstrong for providing much-needed insights into the Equinix Developer Security Certification Program.
[1] TechTarget, “SolarWinds hack explained: Everything you need to know.” June 2022.
[2] National Institute of Standards and Technology, “Technical Guide to Information Security Testing and Assessment.” September 2008.
