DevSecOps With Graph for Valuable Insights

Marco De Luca and Jelmer de Reus explore how integrating IT infrastructure, service, and security operations data can yield actionable insights into an organization's IT environment, focusing on the challenges and solutions of identifying and managing software vulnerabilities like Log4J. They highlight the importance of using comprehensive tools and processes, such as Software Composition Analysis (SCA) and Static Application Security Testing (SAST), to analyze software risks and the necessity of a connected data model that includes metadata and organizational structures. The authors present a case study involving a large government body, illustrating the use of graph databases to visualize and manage software vulnerabilities effectively. They emphasize the value of dashboards that provide an overview of software components and their vulnerabilities, enabling organizations to identify critical risks and the responsible teams efficiently. The article also discusses the potential of further expanding these data models with information about developers and teams, stressing the importance of securing sensitive data with role-based or attribute-based access control.