DevSecOps: Where DevOps and Security Meet

Source – devops.com

The DevOps methodology as a software and engineering culture goes back nearly 10 years—Patrick Debois coined the term when he named a Belgian software conference “devopsdays.” Since then, the movement has taken on a mind of its own, turning into the go-to strategy for enterprises the world over aiming to accelerate their development timelines and deliver better products faster.

In the shifts and changes that have happened over the last decade, one has been the idea of “DevSecOps,” or the intersection where security practices and DevOps transformations meet. Recently, at the DevOps Enterprise Summit 2018 (DOES18) event in London, several key players in the DevOps world sat down to take a deep dive into the world of DevSecOps. In the following article, we’ll review some of the key points discussed by Ilkka Turunen, head of Solutions Architecture at Sonatype; Zane Lackey, founder of Signal Sciences; and Margo Cronin, senior solution architect for Amazon Web Services during our panel discussion at DOES18.

The first point of the discussion centered around the role of security in DevOps, and how the name “DevSecOps” should never make you think security is secondary.

“I’ve never been crazy about the term DevSecOps, because it’s like ‘Sec’ is an afterthought,” said Turunen. “You know, we were squeezing it in between Dev and Ops, the last kid that got on the bus, and we’re like, go on, just sit in there. For all of us, security is the first priority, the top job—’job zero,’ we sometimes call it. And therefore, for DevOps, it actually understands that security is key, and is the first thing that you do.”

Turunen pointed to recent changes brought on by GDPR that have made privacy one of the pillars of software development, and how this has brought about further emphasis on security in DevOps transformations. In this new world of GDPR regulations, it’s not limited to just data portability and data breech notifications, but truly goes into “privacy by design.” As such, security is paramount.

Later, the conversation turned to the idea of how one can create a culture where everyone thinks of themselves as a security practitioner, a seemingly necessary step to having foolproof security practices. The answer lies in creating an organization where security is part of the fundamental culture—a similar cultural change as to what happened around testing.

“So if you think about testing 10 years ago, it was literally people running from test execution plans, and gradually they changed from that to becoming writers of tests, people that write the automatic-execution, help people, help the floor become more efficient at testing for themselves,” said Turunen. “Teaching them unit testing, all these other frameworks. So I feel like we’re at the brink of a similar kind of change. I think it’s a mixture of both incentives and psychology, and just changing roles.”

Lackey puts it even more simply—that good engineering just goes hand in hand with good security.

“The best way I’ve ever seen, like the highest performing organizations view it, is security is a subset of good engineering. In the way that resiliency is, reliability is, quality is, performance is, is a subset of good engineering,” said Lackey.

Finally, the conversation turned to the role of public cloud service providers and how they can help uplift security for software organizations. For Cronin, the idea of machine learning holds a lot of promise for increasing security.

“You now have services that can scan your landscape and say do you know these large files contain client identifying data, do you know you have keys there?” said Cronin. “And then you have services where you can then change that behavior automatically. But I think that’s where we’re going to see cloud service providers become a lot more active. You know, using machine learning to harden your production landscape before you actually even go to the security operators.”

While the world of DevOps is constantly evolving, growth in highly regulated and compliance-oriented industries—coupled with increased global concern over data privacy—have put increased emphasis on incorporating security throughout the software pipeline. To learn more about how these DevOps experts view DevSecOps, and how they are making security a bigger focus in their organizations, you can watch the entire discussion on DevOps TV.

Bonus: You can also watch Cronin’s DOES18 presentation on “Security Automation at Scale” and Lackey’s presentation on “How You Can Use DevOps to Make You More Secure.”