DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Culture and Methodologies
  3. Agile
  4. From a Commodore 64 to DevSecOps

From a Commodore 64 to DevSecOps

Security doesn’t understand how developers or operations works. Security solves for security, but that leaves everyone else in their own place.

Derek Weeks user avatar by
Derek Weeks
·
Feb. 28, 17 · Opinion
Like (3)
Save
Tweet
Share
4.75K Views

Join the DZone community and get the full member experience.

Join For Free

We all know the story: a farm, a kid, a Commodore 64, and a modem maxing out at 300 bps. A few unexpected phone bills later, and young Ian Allison is figuring out how to game the system so he can keep using his newfound gateway to the world of tech. According to Ian, that is where he began building the foundation of skills for his career in computer security.

At the recent All Day DevOps conference, Ian (@iallison), now with Intuit, talked about his history of being “that” security guy. You know, the one who thinks developers don’t care about security or deadlines, and, really, are just plain “stupid.” Don’t worry — he is enlightened now and realizes that we all have the same goal: everyone wants to build a secure system.

Ian realized:

“Security doesn’t understand how developers or operations works. Security solves for security, but that leaves everyone else in their own place.”

He started his enlightenment when his career path led him to a place called DevSecOps — DevOps where security plays a more integral role.

Screen Shot 2017-02-27 at 9.41.11 AM.png

Ian pointed out that traditional InfoSec relies on compliance, regulations, appliances, and perimeter (CRAP). He then realized the selfishness of his own and his peers’ perspectives: remediation was left up to the developers, the feedback they get are 200-page scanner reports, and it only solves problems for security and compliance. It doesn’t help developers reach their shared goal of a secure system.

DevOps creates an opportunity for security to get a better view into our infrastructure, operations, and development efforts. DevOps is not only fast, lean, and efficient, but when done right, it is collaborative and empathetic. Couple speed with collaboration and empathy and DevSecOps can blossom.

Here is the reality that Ian was facing: Scanners find the absolute bare minimum, bad default configs are a huge problem even with SaaS vendors, manual testing can uncover defects that have been hiding for years, and the attackers are more skilled and motivated.

How do you implement it and make it better?

  • Allow Dev teams to assume the risk of their decisions.
  • No more security exceptions or sign-offs.
  • Security is everyone’s responsibility.
  • Test the crap out of your own stuff like an attacker would.

At Intuit, Ian wanted to help build stronger bridges between development, operations, and security teams. To do this, he set up a Red Team to:

  • Use same tactics as attackers.
  • Have only one scope: don’t take down production.
  • Adapt and evolve like an attacker.
  • Prove risks actually exists.
  • Should be writing their own exploits.
  • Should have ongoing campaigns that mimic attackers.

Screen Shot 2017-02-27 at 9.42.20 AM.png

The Red Team started small, lean, and focused on the cloud. They worked like an Agile DevOps team, working manually with the use of some tools. In the end, they found, reported, and fixed thousands of vulnerabilities not found by scanners.

Screen Shot 2017-02-27 at 9.42.57 AM.png

Ian goes into more details and lessons learned in his full All Day DevOps conference session (just 30 minutes). The other 56 presentations from the All Day DevOps Conference are also available online, free-of-charge.

security agile

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Five Key Metaverse Launch Features: Everything You Need to Know
  • Express Hibernate Queries as Type-Safe Java Streams
  • Observability vs Monitoring Use Cases
  • Last Chance To Take the DZone 2023 DevOps Survey and Win $250! [Closes on 1/25 at 8 AM]

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: