You are not practicing DevOps unless security is baked into the methodology.
Join the DZone community and get the full member experience.Join For Free
I had a great time having one-on-one discussions with security professionals at Black Hat USA 2019 on the heels of gathering insights from more than nearly 100 IT professionals for DZone.com's Security Research Guide in February and March, our DevSecOps Trend Report in May, and our AppSec Trend Report in June.
It was interesting the see the number of participants dwindle as we went from the broad topic of security with more than 50 contributors to 30 for DevSecOps to only five for Application Security.
It appears that “security” is on everyone’s mind with very public large data breaches and GDPR. Plenty of people are talking about integrating security into their DevOps pipeline since it’s worthless just tacking security on at the end of the process; however, the number of people willing to have hard conversations around AppSec and API security is disheartening.
Security is not getting better. Everyone in development, operations, and security need to stop talking broadly about the subject of security and start having difficult conversations about securing applications and APIs.
Automation is required to scale to meet the demands of business and customers and defining the right tools and processes requires the dissolution of silos and changes to provide security and QA testing that does not hinder the speed with which code is developed and deployed.
This is a heavy lift, but unless we try, it’s not going to improve.
Key takeaways from my discussions:
- We need to push static and dynamic testing out and replace it with IAST and RASP for real-time automated testing that is able to scale and meet the demands of a DevOps methodology.
- Visibility is key — who is attacking, what attack vectors they are attempting to exploit, what systems they are targeting, and whether the attacks are being successfully prevented.
- Automation is necessary to keep up with the velocity demands but also to compensate for the talent gap of security professionals. Many security professionals are being elevated due to demand without regard for qualifications.
- Eliminate false positives by adding context around security alerts and using AI/ML to improve accuracy and confidence as more data is gathered.
- Integrate tools to achieve the benefits of a multi-pronged approach and multiple sources of data.
Today, a successful DevOps methodology begins with a strong alignment between development, operations, and security teams with security engaged throughout the value stream as coaches or advisors, aiding, not hindering, the process.
Improve the cultural adoption of DevOps, with security integrated throughout, by enlisting executive sponsorship, ensuring everyone in the organization understands their responsibility for security, having developers and operations be accountable for what they develop and deploy, and by making security as visible as possible so people can see vulnerabilities and attacks to learn and improve for the future.
Thanks to the following for sharing their insights with me during the conference:
- Jeff Williams, Co-founder & CTO, Contrast Security
- Itzik Mantin, Lead Scientist, Imperva
- Andrew Howard, CEO, Kudelski Security
- Russ Currie, V.P. Enterprise Strategy, NetScout
- Sivan Tehila, Director of Solution Architecture, Perimeter81
- Gilad Peleg, CEO, SecBI
- Setu Kulkarni, Corporate Strategy & Development, WhiteHat Security
Opinions expressed by DZone contributors are their own.