DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. The Path of DevOps Enlightenment for Infosec

The Path of DevOps Enlightenment for Infosec

Security is in crisis. Can security, as an industry, rise to the demands of DevOps?

Derek Weeks user avatar by
Derek Weeks
·
Nov. 26, 18 · Presentation
Like (3)
Save
Tweet
Share
4.86K Views

Join the DZone community and get the full member experience.

Join For Free

Security is in crisis. Can security, as an industry, rise to the demands of DevOps? Is the DevOps culture able to handle security and all of its baggage? Will security destroy the DevOps culture?

These are the questions James Wickett (@wickett) addressed in his talk at the 2018 Nexus User Conference. If you haven't heard James speak previously, he is an InfoSec guy who embraces DevOps. He writes DevOps training for Lynda.com and is a founder of the Gauntlett open source project and DevOps Days Austin. Currently, he is the Director of Research for Signal Sciences. 

As an alumni of both large organizations and small startups he has seen the worst, the better, and the worst transforming to the better. He now sees security at forward-leaning development shops - where it wasn't before - and applauds the juxtaposition of the old and new, to create, and embrace, DevSecOps. But, the path to enlightenment isn't always clear. Which, is why James lays out a" yellow brick road," of sorts, for those still wandering in the darkness.

James' first big company job was at an ecommerce organization with $1 billion in annual sales. He had brutal on-call shifts, 24 hour+ deployments, and waterfall, waterfall, and more waterfall. The good news — "friends are born from adversity."

James then moved to a startup where he found cloud services, lots of failure, lots of happiness, and a feeling that this is how he wanted to live his life. However, in 2010 he rejoined his old team - the same friends born from adversity.

Enter DevOps. Back at the big company, they were embracing DevOps principles. They were not at a Continuous Deployment level yet, but they did have daily deploys. They ended up delivering 4 SaaS products in 2 years using DevOps and cloud services.

During this time, he realized that for DevOps to succeed, the culture needed to lean even more Ops, because for every operations staff, there tend to be ten developers. Even more tilted - for every 100 developers, there tends to be one security staff. Despite this, James had hope to pull security into DevOps, and saw the potential for DevSecOps - to become mainstream.

James touts DevSecOps in part because security is in a crisis. As he quotes Steven Bellovin from Thinking Security , "Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we're protecting the wrong things, and we're hurting productivity in the process."

He also quotes Michael Zalewski, from The Tangled Web: A Guide to Securing Modern Web Applications, " [Security by risk assessment] introduces a dangerous fallacy: that structure inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work."

James asserts that the reality is that security must change or die, and he lays out the old path juxtaposed with the new path:

Old Path New Path
Embrace security Create feedback loops
Just past audit Compliance adds value
Build a wall Zero trust networks
Slow validation Fast and non-blocking
Certainty testing Adversity testing
Test when done Shift left
Process driven

The paved road

He also reminds us that for DevSecOps to work, the culture of the organization has to embrace it. He quoted Patrick Douglas, who coined the term DevOps, "Culture is the most important aspect to DevOps succeeding in the enterprise."

To that, James believes there are four keys to strong culture:

  • Mutual understanding
  • Shared language
  • Shared views
  • Collaborative tooling

While it's easier said than done, the ramifications of not creating that strong culture can be fatal.

To hear more from James, including about rugged security and tying performance and function to your compute resources, list to his full talk, for free, here. Listen to all of the talks from the 2018 Nexus User Conferencehere.

DevOps security Enlightenment (software)

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • What Is Policy-as-Code? An Introduction to Open Policy Agent
  • Key Considerations When Implementing Virtual Kubernetes Clusters
  • The Role of Data Governance in Data Strategy: Part II
  • The Importance of Delegation in Management Teams

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: