Case Study: Moving to DevSecOpsSentara Healthcare CISO Daniel Bowden Describes Organization's New Approach
Since Sentara Healthcare adopted a DevSecOps approach, CISO Daniel Bowden says, his security team has gained improved visibility into the application development process.
"Anything we've done in public cloud with our new apps - anything that falls into our DevSecOps model - my team now has complete visibility as every change happens," he says in an interview with Information Security Media Group.
"They know configuration changes, and we're able to be part of security testing of code, penetration testing, and we've developed these iterative cycles with the development and the ops teams where we're just included in every step along the way," he says.
"That's what you want DevSecOps to be - the security team is incorporated into each step of the development process."
Compared to before Sentara Healthcare adopted a DevSecOps approach, application security improvement "is night and day," Bowden says.
"Just on the applications we've built, or applications we've moved into public cloud, we have that configuration evidence documented perfectly now. Where in the past, over time, when there was turnover ... there were always challenges with configuration and managing templates."
In the interview (see audio link below photo), Bowden also discusses:
- Important lessons learned so far in Sentara Healthcare's move to a DevSecOps approach;
- Other top challenges and benefits related to taking a DevSecOps approach;
- Advice to other healthcare entities considering a move to DevSecOps.
As CISO at Sentara Healthcare, an integrated delivery system serving Virginia and North Carolina, Bowden is responsible for coordinating compliance with all security rules, as well as leading the information security risk management framework, risk analysis process and risk assessments for critical data and systems. Previously, he served as CISO for the University of Utah.