Accelerating the DevOps process during Covid-19: How CFOs and CISOs can work together
The Covid-19 pandemic has brought about a new normal. Remote working and videoconferencing has never been more popular; and as a direct consequence, the cloud has never been more popular either.
Yet a note of caution needs to be applied to those looking at full-speed migration. Jeremy Snyder of DivvyCloud told this publication in April that ‘people are really good at creating stuff, but not at cleaning up after themselves’, while writing last month Margaret Rogers, VP at Pariveda Solutions, warned that ‘knowing where to go rarely makes the journey easier’.
Security, more than ever in these uncertain times, is of paramount importance – and Synopsys, an application security provider based in California, knows this better than anyone. Utsav Sanghani, senior product manager at Synopsys (left), explains that while many customers are looking to accelerate their transformation, be they in financial service, or independent software vendors (ISVs), one process is key.
“All of these companies are in this transition, and typically a transition can take multiple years,” he tells CloudTech. “With Covid-19, specifically the companies going through this transition, those that have moved to a more agile, ‘no touch’ DevOps process have been able to embrace this new normal, but some of these organisations with legacy pipelines and no DevOps instrumentation process put in place will struggle.
“Instead of initially being an 18 to 24 month effort, you’ve started to see organisations try and fast track it now targeting completion in six to eight months, and rush to procure the right tooling and process change, alongside a big cultural change that needs to go in to make this successful,” Sanghani adds.
Yet if your house is built on sand, the fall will still be great regardless of the other changes you make to your organisation. “Obviously a lot of changes need to happen starting with the developers, the build processes, and going to continuous integration,” explains Sanghani. “Those mainframe systems were never built with continuous integration in mind, and so trying to retrofit that to a CI system is a challenge.”
Like many companies in this space right now, Synopsys is seeing customer uptick and engagement across its portfolio, whether it is application security associated with cloud migration, or security in DevOps environments. This process, as with others, has been neatly categorised into a buzzword, DevSecOps. But as Sanghani explains, Synopsys’ goal is to move AppSec into the mainstream – beyond the buzzwords. DevSecOps is an ‘ideology’, while DevOps is ‘truly a cultural change.’
“When we talk about embedding security, the goal is you ideally need to embed it early on in the process,” he says. “DevOps started off with providing a smoother transition between the developer component and the operational component – and with security being so paramount at different stages, your risk varies from stage to stage.
“If you are on the ops side, and you are running a scan and you realise there is an active vulnerability on the system deployed and running in production, you’ve got a problem,” Sanghani adds. “If you find something in the dev phase where it’s not deployed, you still have a good chance of handling it.
“As a buzzword, DevOps has been very exciting for a lot of developers and the different members – and maybe there’s a more democratic process with different people engaging in it. Security can be a part of that. Our main goal is helping security admins in those organisations work with the developer, work with the DevOps engineer, the build engineer, and make security a standard part of the process, even if they move to a closer knit DevOps process.”
So how can such a process be aligned and, more importantly, how can all stakeholders get on board? Focusing minds on the damage which can be done helps, while blue chip brands continue to suffer data breaches – Marriott and Capital One to name two in the past 12 months.
“CFOs and CISOs can work very closely with each other,” he says. “A breach can be really damaging – financially, as well as from a reputational standpoint. Organisations want to avoid that – that’s why they work together to institute changes that will ensure their risk profile is lower.”
“At the ground level, it’s more of an efficiency thing,” he adds. “Build and operations engineers get measured on how fast they are able to churn out code, pass it along the pipeline, and make it possible to get a release out the door. It’s a different perspective for the CXO who is looking at it from the cost standpoint, but they all agree on DevOps primarily for these reasons, because it helps them achieve those benefits.”
Going forward, Synopsys notes the impact Covid-19 is having, both on customers’ roadmaps and how the company can help them. The company’s customers range from startups looking to minimise their application security risk, to larger organisations, from retail to financial services, aiming for best practices.
Sanghani explains that customers rely on more traditional DevOps and collaboration tools, such as Atlassian’s JIRA and ServiceNow, and so ramping that up and getting more automation in is the priority. “Say you found a security defect, an issue in [your] code base – how will [you] get this in front of the developer?” he says. “How do we automate that process and scale up because we’re not working in the same office anymore?
“You can have integrations with JIRA, where you push the issue to JIRA and it has the workflow already set up, and it automatically assigns the issue to the developer. The developer opens up the ticket [and knows they] have to fix this – so facilitating that type of automation is something that Synopsys has started to fast track and help customers during this new normal of Covid-19.”
Alongside this is a move to produce a greater quality of results over quantity. “We’re trying to reduce the number of results we give you, but we can give you the context – so it will tell you something was found by this technology and that technology – and it might be the same issue, so you have to solve it only once,” he adds.
“That’s the part which is missing in the industry today. We give you the individual tool data but how do you bring it all together so a developer understands why it’s a problem? Correlation, and a lot of automation-related stuff around detection and remediation is a major part of our plan.” he adds.