At this year’s Interop Digital conference, Jayne Groll, CEO of DevOps Institute, led a discussion with Darwin Sanoy, senior solutions architect with GitLab, on ways organizations can nurture continuous vulnerability remediation habits within their IT teams by getting developers more plugged into DevSecOps -- the blending of DevOps with security.
The discussion explored the intersection of automation and some human elements that make up DevOps. The intent is to establish habits that allow for continuous remediation and ways to better identify security vulnerabilities that only developers might see in code. Groll and Sanoy also discussed why building strong habits are important for personal and professional development in IT.
Sanoy cited books -- “The Power of Habit” by Charles Duhigg and James Clear’s “Atomic Habits” -- as references and resources that illustrate how habits develop and why it can be important to cultivate them. “One aspect these books teach very saliently is that habits are built right into our humanity,” he said. “They migrate from our software to our firmware, so to speak.” An example from Duhigg’s book discussed an individual who lost the capacity for short-term memory due to brain damage, yet the individual still developed habits, Sanoy said. “It’s really a part of who we are as human beings.”
The capacity to change habits, he said, is also a fundamental part of human cognition and is a factor in the tooling and processes that people build around work.
The roles IT professionals fill are being redefined, Groll said, calling for the development of diverse expertise. “There’s so much advocacy these days for everyone in IT, whether you’re a developer or on the operations side, to become hybrid,” she said, “to look at what you do from multiple lenses, to broaden your skillsets across multiple domains, whereas before you might have really focused your energy and expertise on a single area.” Groll said one goal of building up continuous vulnerability remediation habits is to help developers become more hybrid and DevSecOps aware.
Sanoy said becoming a DevSecOps aware developer is largely about taking responsibility for security. “One of the things that’s important about code security, sometimes we get some pushback, is that developers ‘don’t have time for this,’” he said. “Or ‘we wanted someone else to remediate the vulnerabilities in the code.’ In reality, when you start to remediate vulnerabilities, you create functional changes in the code potentially.” That can necessitate a change to what the code does from an operational perspective, he said.
The potential shakeups that changes bring means developers who build the tooling in the code must be the ones to update it for security capabilities, Sanoy said. Developers should be the ones to handle this because of the possibility for knock-on effects that touch other parts of what they built. It is also better to address these issues, he said, while coding is underway rather than going under the hood well after developers have finished, which can be frustrating and potentially expensive.
With the different tasks being added to IT roles, Groll said there are concerns among developers that the “shift-left and down” approach to software and system testing, meant to reduce the number of errors that can lead to defects, is going to add more work.
“Shift-left, generically, is saying ‘let’s find it earlier and fix it earlier,’” said Sanoy. Developers might be reluctant to pursue this because there still needs to be extensive research in security mediation, he said, which may be easy for them to dismiss as not part of their job. Those additional activities may include digging through vulnerability databases, trying to find the vulnerability information in a report, and trying to understand exactly what tool buttons to press to see the right vulnerabilities, Sanoy said.
Automation can be a way to address these additional tasks, he said. The overall rise of automation across multiple industries raises questions about how far it can be taken, including the potential for job elimination, Groll said. IT has been responsible for introducing automation in other sectors and that disruption seems to be coming home to roost. “Is it now time for IT to automate itself?” she asked.
By becoming continuous learners, IT professionals may be able to mitigate possible job impacts that these shifts might bring, Sanoy said. “There’s one estimate that if you’re in IT as a career, you have to earn a bachelor’s degree every 10 years in order to keep up and you have to earn a master’s that frequently if you want to get ahead,” he said.
As organizations adopt new frameworks and technology such as automation, they might consider hiring new staff who can work with the new resource rather than reskill their current personnel, but Sanoy said that could be a disservice to everyone involved. “Developers understand not only the coding languages that you’re working with, they also understand your business area,” he said. Hiring a new developer who knows the new framework but does not know the business might be a step backwards. “If we are careful how we do it, it doesn’t have to be an inhumane process to bring work into an automated form,” Sanoy said.
For the rest of this discussion and other Interop Digital sessions, follow up with on-demand replays from the conference.