The Search for a Plan to Bolster DevSecOps Against Attacks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps
Commentary
11/18/2019
09:00 AM
Connect Directly
Twitter
RSS
50%
50%

The Search for a Plan to Bolster DevSecOps Against Attacks

Developers under pressure to deploy may benefit from incorporating security resources into the tools they have on hand.

With an ominous warning to automate or die, the combination of security with DevOps was the focal point of discussion last week at the NYCDevOps meetup. Irina Tishelman, solutions architect for Sonatype, which develops solutions to automate DevOps, spoke at the event, delivering a call to action for organizations to get on board with DevSecOps principles. “Emphasize the performance of the entire system and never pass a defect downstream,” she said.

As hackers continue to grow in guile and craftiness, Tishelman said improved communication between security teams and developers could give organizations a better chance at locking down their vulnerabilities. There is a desire though to maintain speed of deployment even when confronted with the scale of cybercrimes. So far in 2019, some 4.1 billion records may have been exposed across 3,800 data breaches, Tishelman said, and the year is not done yet. “This is our new reality where all kinds of companies are challenged by hackers who are more and more sophisticated,” she said.

Irina Tishelman, solutions architect for SonatypeImage: Joao-Pierre S. Ruth
Irina Tishelman, solutions architect for Sonatype

Image: Joao-Pierre S. Ruth

Tishelman suggested that organizations might draw insight from the book The Phoenix Project, a novel by team including DevOps pioneer Gene Kim, that likens software development and IT operations to manufacturing and supply chains. She highlighted the need to create fast feedback resources to catch security issues before they are passed along. “If something bad happens, we need a way for you to tell us about that,” she said.

Citing giants such as Netflix, Facebook, and Amazon, Tishelman said speed of delivery is of course crucial for organizations that might deploy multiple, if not hundreds of times per day. “Only those who master large-scale software delivery will define the economic landscape of the 21st century,” she said, “the same way as the masters of mass production defined the landscape in the 20th century.”

The accelerated development lifecycle at Facebook, Tishelman said, is an example of matching customer expectations for constant delivery of software. The pressure to keep up must be tempered, she said, with implementing security. “This is when DevOps transitions to DevSecOps because security has to be automatically built into the process,” Tishelman said.

Compounding the matter are paradigm shifts in application development in the world of open source, which both can offer flexibility but also lead to vulnerabilities. “Developers are no longer building applications from scratch,” she said. “They download open source components and assemble them like Lego blocks to build applications fast.”

Unlike in the manufacturing world, where suppliers and manufacturers may have clear relationships, communication can be murky in the software supply chain. For example, she pointed out that there are some 10 million Java developers around the world and 6.5 million JavaScript developers, all who download high volumes of open source components on a regular basis to fuel rapid releases. “Speed matters,” Tishelman said. “Why write code that can take months when you can download it in a few seconds?”

That need for speed can increase security risks and could even lead to exploited code being used. “After vulnerabilities are announced, many developers are still downloading vulnerable components,” Tishelman said. “Organizations continue to use those components at an alarmingly high rate without even recognizing it.” She attributed such trends to a lack of communication to inform developers of risks, coupled with components remaining circulation.

In this fast moving, continuous integration/continuous deployment era, Tishelman said developers might not have the resources to address security on their own. She recommended that organizations make a more coordinated effort to make security part of the workflow. This can include providing intelligence to developers through assets they already use. “Don’t force developers to use tools designed just for security,” Tishelman said. “Security and DevOps teams must unite in the common goal of deploying applications securely and quickly.”

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll