DevSecOps - It's Not Me or You, It's WE!
DevSecOps - It's Not Me or You, It's WE!
Read on for a collection of important takeaways from Electric Cloud's expert panel discussion on the importance and demands of DevSecOps.
Join the DZone community and get the full member experience.Join For Free
Easily enforce open source policies in real time and reduce MTTRs from six weeks to six seconds with the Sonatype Nexus Platform. See for yourself - Free Vulnerability Scanner.
Next month, we're proud to participate in two special events focusing on DevSecOps:
- DevOps Connect: DevSecOps Days @ RSAC 2018. Taking place on April 16th at the Marriott Marquis in San Francisco, DevSecOps Days is full-day of sessions and panel discussions focused on best practices and patterns for DevSecOps, and how DevOps can enable security. DevSecOps Days is free to all RSA Conference badge holders, happening April 16-20 at the Moscone Center in San Francisco.
- On April 18th we're hosting our webinar with John Willis: You Build It, You Secure It - Higher Velocity and Better Security with DevSecOps. John Willis and Electric Cloud's CTO, Anders Wallgren (both would also be at DevSecOps Days), would share tips to allow developers and operators to increase delivery velocity and harden their pipelines by including security earlier in the delivery process.
Ahead of DevSecOps Days and our webinar with John, we wanted to share some tips and emerging trends for DevSecOps that experts shared on another industry panel - the one held at the recent DevOps Enterprise Summit in San Francisco 2017. Participants in this DevSecOps panel discussion were software delivery and security experts Anders Wallgren, CTO, Electric Cloud; Paula Thrasher, Director Digital Services, CSRA; John Willis, VP of DevOps and Digital Practices, SJ Technologies; Caroline Wong, VP Security Strategy, Cobalt; and, Curt Yanko, architect, Sonatype; and Rob Stourd. Alan Shimel, Editor-in-Chief at DevOps.com moderated the session.
These leaders discussed some of the major security trends emerging from the DevOps movement, including tools, techniques and how to build a culture of security that is organization-wide.Continue reading for a list of the top lessons learned from this discussion:
Security can pose a real threat not only to organizations as a whole, but to individual stakeholders, causing unsurmountable fear, says Thrasher: "The 'one throat to choke' thing is real. It goes all the way up to the board. And this reality changes the entire conversation because people all the way up the chain feel like, 'I could lose my job. I could go to jail.' It's different than when a server goes down, you just go apologize."
The first step to taking security seriously is to communicate, per Wallgren: "We have to take security seriously. It begins with communication, understanding each other's motivations, goals, and understanding the complexity of that."
Blame culture is often to blame for bad security and low performance, says Willis: "Sidney Dekker [talked] about a restorative culture, a just culture, and how you can't just blame people. Even if it was that person, it's the system that engaged and created that person. You are not going down a high-performance path if you're trying to institute punitive restorative justice...You'll never get anywhere."
When it comes down to it, we're really all working towards the same goal, explains Wong: "A security person might believe that you should put a $200 fence around a $5 asset. That doesn't make any sense. The reason that DevOps exists is to support the business. The reason that security exists is to support the business."
Put frankly, more money needs to be going to security today, states Yanko: "We're at a time where there's tremendous opportunity and technology and new ways to think about things. We have to look at our budgets and realign them. I think security budgets are woefully misaligned to today's breakdown of where we need to be spending our money."
Security is not an easy thing, but it can be made simpler by practicing security measures as a team versus in silos, suggests Thrasher: "You can't control for complexity. Engineering's hard, security's harder. And what you can't control for is how your team behaves in the environment they live in. One thing you can do actionably is, as a team, which hopefully includes security, practice defending as a team."
A key to good security is knowing what your shipping and all that goes into it, explains Wallgren: "Know what you're shipping, know your bill of materials. Whatever product you use to do that, or whatever process you use to do that, do it, because you're going to have to answer that question at some point. And you don't want to take hours or days to answer."
Just like when Dev and Ops initially invited QA to the DevOps party, the same needs to be done with the security folks, advises Willis: "Instead of this 'You're over there, we're here,' let's use the QA model and convince security folks we need their Meta and brain in the pipeline at every level - at the IDE, when you check in your code, in the CI build, in the vulnerability scanning, and just invite them to the damn party."
Conversation is just as important in security as it is in DevOps, says Yanko: "Just start having those conversations with security, because that's what DevOps is about. And then you're going to work towards getting visibility, and how to reduce mean time to detection or mean time to remediation. This is a constant theme with all things DevOps. Security is no different."
It's more important than ever to be proactive with security, claims Wong: "Today it's sort of a given that your organization is going to be breached, that your organization is going to be compromised. The question is, how quickly can you detect that and how quickly can you respond to it? It's a different way of thinking. It's not so much like putting up a fence, it's whether you are ready to handle the inevitable."Watch the full recording of the session:
If you want to see more sessions like this, be sure to join us at DevOps Enterprise Summit London (June 25-26, 2018) and DevOps Enterprise Summit Las Vegas (October 22-24, 2018). Early Bird tickets for London are available until March 19! Stay tuned for registration and programming updates from Las Vegas.
More DevSecOps ResourcesDownload the eBook: DevSecOps: 5 Ways DevOps and Automation Boost Security and Compliance
Stay tuned for our May 1 episode of our #c9d9 video podcast, which will be also dedicated to DevSecOps, featuring panelists John Willis, Paula Thrasher, Chenxi Wang, Derek E. Weeks, and Alan Shimel.
Published at DZone with permission of Anders Wallgren , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.