DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. DevSecOps: Overcoming the Culture of ''No''

DevSecOps: Overcoming the Culture of ''No''

Learn about building security into your DevOps pipeline and overcoming obstacles by investing in your people.

Derek Weeks user avatar by
Derek Weeks
·
Aug. 13, 18 · Opinion
Like (1)
Save
Tweet
Share
5.87K Views

Join the DZone community and get the full member experience.

Join For Free

Traditional security has thrived in a culture of "no."

The Culture of "No"

We have all met that wall. And when those walls exist, people find ways around them. The workarounds make their lives easier. They implement what they think is best. Their efforts are not intentionally destructive but can lead to unintentional vulnerabilities and, potentially, harm.

At All Day DevOps, DJ Schleen (@dschleen) tackled security issues in his talk, Automating Security in DevOps - Security in the Pipeline. While he studied physical architecture and design, he now works in software security architecture and is a DevSecOps Evangelist for insurance giant Aetna.

The culture of "no" is exactly the kind of culture DevOps is designed to improve, and, as DJ asserts in his talk, "DevOps is an unprecedented opportunity for security." DevOps provides a system to react quickly by supporting a continuous delivery culture and the addition of security controls into an automated environment.

Invest in People

DevOps is also about investing in people, improving the lines of communication between development, operations, and security, and automating where you can automate to give humans the ability to focus on what we do best. You maximize success with DevOps when you invest in people, which, in turns, also improves your processes and tools.

So, how do we change security from a culture of "no" to a culture of "yes" — or, perhaps more appropriately, "Yes, but this is what it looks like."

To start, DJ first looks at the underlying system and asks, "Is Agile 'agile' enough" to force this change. When his answer is "no," he knows it's time for DevOps.

Too often, Agile is just a collection of mini waterfalls. DJ states, "DevOps breaks the chain of waterfalls. With DevOps, you can get fixes out quickly and easily. No one has to come in on Saturday."

Building Security Into the DevOps Pipeline

To fully recognize the benefits of DevOps for security, DJ notes you must build security into the pipeline, automate wherever possible, and have security professionals code too. DJ outlines some goals:

  • Be a culture of yes and working together
  • Deliver remediation guidance back to developers
  • Integrate security knowledge and secure coding practices into your DevOps teams
  • Have security teams "get hands dirty" by coding
  • Don't just automate the scan button
  • Pass software through well-defined and automated gateways where guardrails are in place to assess code security without decreasing velocity
  • Utilize automation to stop or pause the delivery pipeline when critical vulnerabilities are detected or manual intervention is necessary
  • Utilize automation to provide actionable remediation guidance
  • Remember software after production deployments

Chaos in Your Comfort Zone

What are some practical techniques DJ recommends? First, introduce chaos.

Chaos is a matter of stretching your comfort zone. DJ recommends going beyond traditional monitoring. Consider:

  • Randomly take containers down
  • Explore holes in your development practices
  • Unleash random hell on your infrastructure and applications
  • Continuously review the stability and resiliency of your systems
  • Execute attacks in production

DJ digs into the details of each of these techniques, but, in the end, it all comes back to introducing chaos to improve your preparedness for attacks and your understanding of the entire system.

Of course, this approach has challenges. DJ mentions selecting the right toolsets, tailoring the people, processes, and tools to unique environments, teaching old dogs new tricks, having multiple "flavors" of DevOps, and making KPIs and indicators actionable.

Don't Go the Road Alone

To dig into the details with DJ, watch his full talk for free here. Then if you have any questions, ping him on Twitter (@dschleen) where he is very active in the community. We all learn from one another, so don't go the road alone.

In the meantime, his takeaways are:

  • Don't fear deploying rapidly and often into production
  • Always gather information in the form of KPIs and make them ACTIONABLE
  • Support the organization with tools, techniques, and best practices
  • Automate EVERYTHING
  • Defects are defects - regardless if they are a code defect or a security vulnerability
  • Code your infrastructure - eliminate access to physical or cloud-based machines
  • Choose tools that interfere minimally with flow
  • Introduce chaos to become a moving target

If you missed any of the other 100 speakers at All Day DevOps, you can find their 30-minute presentations here.

All Day DevOps 2018

All Day DevOps 2018 is just around the corner! Registration is available here.

The free, online conference goes live on October 17th, offering 100 different practitioner-led sessions, each one 30-minutes long. With 5 separate tracks: CI/CD, Cloud-Native Infrastructure, DevSecOps, Cultural Transformations, & Site Reliability Engineering, and 100 speakers, there's sure to be something for everyone.

And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.

Hope to see you online at the show!

security DevOps Continuous Integration/Deployment

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Using AI and Machine Learning To Create Software
  • The 31 Flavors of Data Lineage and Why Vanilla Doesn’t Cut It
  • A Simple Union Between .NET Core and Python
  • Automated Performance Testing With ArgoCD and Iter8

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: