How ICE implemented a developer-focused DevSecOps workflow (SEC211)
Key Takeaways
The Evolution of Software Development and the Need for DevSecOps
Traditional software development was characterized by long development cycles, silo teams, waterfall processes, and limited software supply chains.
Modern software development has shifted to rapid, agile, and iterative cycles with microservices, cloud-native architectures, and complex software supply chains.
This shift has created new challenges for security, as traditional approaches of testing and securing code after development do not align with the velocity of modern DevOps practices.
The need for DevSecOps emerged to integrate security into the developer workflow, but this shift has created new challenges in terms of providing developers with the necessary context and risk information to make informed security decisions.
Intercontinental Exchange (ICE) and the DevSecOps Journey
ICE, the owner of the New York Stock Exchange, has had to navigate a diverse technology landscape, with a mix of traditional data center-based applications and cloud-native architectures acquired through acquisitions.
To address the security challenges in this complex environment, ICE has focused on building a "lingua franca" of security, using a ticket-based system to normalize and contextualize vulnerability information for developers.
This has involved creating a tiering process to prioritize application security based on factors like exposure and business criticality, as well as establishing governance and SLAs around remediation of critical and high-risk findings.
ICE has also worked to build trust and credibility with developer teams by providing them with the necessary context and tooling (e.g., Snyk) to understand and address security issues within their workflows.
The Path Forward for DevSecOps
Automating and integrating security into the developer experience is a key focus area, including the potential use of AI and machine learning to correlate vulnerability data with application context and risk.
Aligning incentives and accountability for security across product owners, business stakeholders, and development teams is an ongoing challenge that requires cultural and organizational changes.
Developing open standards and flexible security platforms that can adapt to diverse technology and cultural landscapes within an organization is an area ripe for innovation in the DevSecOps space.
These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.
If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.