Making DevOps a Reality – Bringing in Security: Top 4 Topics

Source – devops.com

I caught up with Maria Loughlin, vice president of engineering at CA Veracode; Chris Eng, vice president of research at CA Veracode;  and Alan Shimel, CEO of DevOps.com, to talk more about their recent panel webinar on bringing in security to make DevOps a reality. It was enlightening to hear their perspectives on how companies can build security into its culture so that it permeates the development process. Many enterprises have realized that with the continuing popularity of DevOps comes the possibility of creating an environment that allows software vulnerabilities. In truth, more teams are integrating security testing into their development processes.

This informative session is available here on demand and worth a listen. But I’d like to share the top four topics from their discussion:

New Mindset and New Speed

As dev moves to DevOps, traditional approaches to security aren’t fast enough. Both the challenges of scale and the lack of expertise on the teams need to be addressed.

Faster, Cheaper, Better

DevOps makes integrating security easier in a few ways. First, engineers understand they need to take more operational responsibility, and that includes security; and secondly, DevOps emphasizes the investment in automation and continuous delivery of small batch sizes. As much as we automate security, it becomes less costly, transparent and readily adopted.

People Aspect in DevOps: Just as Important as the Technology

Teams do need to interact differently in a DevOps environment. The partnership must be real and show empathy, respect and flexibility. Expect the security teams to be reasonable and take a risk-based contextual approach; not everything is critical.

Most importantly, that interaction must start at the top, just as it does with Maria and Chris, with a shared goal of success and accountability.

Their Parting Advice

Make the secure way the easy way. Implementing secure building blocks not only saves time but reduces your risk. Look for opportunities to simplify and automate to optimize your investments.

Sometimes, it is best to start small. Your investments will grow over time with nurturing.

Your people are your most valuable assets. Be sure to monitor and mentor the skills gap on your team because if team members aren’t knowledgeable they can’t be held accountable. Make sure that executive sponsorship is involved and visible.