AppSec at the speed of DevOps in the age of open source
Source – jaxenter.com
“Through the community engagement, we all win”
In the world of DevOps, traditional application security doesn’t cut it anymore, and relying on perimeter defenses is a reactionary measure… assuming you control the perimeter. The unprecedented use of open source, speed of continuous integration and continuous delivery, containerization, and move to the cloud all mean that teams need a new approach to application security. DevOps teams cannot cede speed and agility for the sake of security.
JAXenter editor Gabriela Motroc caught up with Tim Mackey, technical evangelist for Black Duck by Synopsysat DevOpsCon 2018 to talk about how to do AppSec at the speed of DevOps in the age of open source. In this video interview, Tim will be answering the following questions:
- How can we improve AppSec and what are the newest security challenges that arise as DevOps becomes more mature?
- Why should we build AppSec into the DevOps process? What are the benefits and what happens if we don’t do that?
- The results of the Black Duck report were released a couple of months ago. What are the most unexpected or worrying facts?
- Right now, we’re using a lot of open source components that contain flaws. Does this mean we should stop using open source components altogether or is there a way to shield our work from vulnerabilities?
- How can we balance security and innovation in open source?
Here are some quotes from the interview:
- The biggest challenge in security in a DevOps world is to understand what the overall information flow is. You also need to understand what the security risks are and what the problem that needs to be solved right now is.
- With GDPR as a reality, that will trigger potential regularity impact.
- Trends from the report :
- Open source is the way the world works today
- Security and engagement with an open source community are lagging
- Organizations are becoming more aggressive with open source license compliance
- Key takeaway from the report: Organizations need to be consuming but also engaging with the communities that are consuming the components from
- There is a tendency among some people to say “I want to remove the flawed component and replace it with something else”. The reality is that what you’re going to replace it with is probably just a different fork of that same component.
- If you see a flaw inside of an open source component, report that flaw, find where you obtained your code from.
- Through the community engagement, we all win.
When you find a security issue, you should report it
Tim Mackey from Black Duck by Synopsys discussed containers in his session “AppSec at the Speed of DevOps in the Age of Open Source” at DevOpsCon 2018. Mackey reported that containers are immutable (they are created once and run many instances) and ephemeral (a container’s life should only be as long as necessary). Containers must be sacrificed and a system may terminate a container if needed; there is no guarantee of a container’s lifespan.
Mackey predicted that the rate of security disclosures will increase. He told the audience that web services APIs introduce new risk profiles (disruption or discontinuity of usage, loss of intellectual property, data breaching, unintended use of unreliable services) and that not every service is reliable and should be trusted. The final takeaway of Tim Mackey’s session is that we are all researchers and when you find a security issue, you should report it. This way we all increase vulnerability awareness together.