With an ominous warning to automate or die, the combination of security with DevOps was the focal point of discussion last week at the NYCDevOps meetup. Irina Tishelman, solutions architect for Sonatype, which develops solutions to automate DevOps, spoke at the event, delivering a call to action for organizations to get on board with DevSecOps principles. “Emphasize the performance of the entire system and never pass a defect downstream,” she said.
As hackers continue to grow in guile and craftiness, Tishelman said improved communication between security teams and developers could give organizations a better chance at locking down their vulnerabilities. There is a desire though to maintain speed of deployment even when confronted with the scale of cybercrimes. So far in 2019, some 4.1 billion records may have been exposed across 3,800 data breaches, Tishelman said, and the year is not done yet. “This is our new reality where all kinds of companies are challenged by hackers who are more and more sophisticated,” she said.
Tishelman suggested that organizations might draw insight from the book The Phoenix Project, a novel by team including DevOps pioneer Gene Kim, that likens software development and IT operations to manufacturing and supply chains. She highlighted the need to create fast feedback resources to catch security issues before they are passed along. “If something bad happens, we need a way for you to tell us about that,” she said.
Citing giants such as Netflix, Facebook, and Amazon, Tishelman said speed of delivery is of course crucial for organizations that might deploy multiple, if not hundreds of times per day. “Only those who master large-scale software delivery will define the economic landscape of the 21st century,” she said, “the same way as the masters of mass production defined the landscape in the 20th century.”
The accelerated development lifecycle at Facebook, Tishelman said, is an example of matching customer expectations for constant delivery of software. The pressure to keep up must be tempered, she said, with implementing security. “This is when DevOps transitions to DevSecOps because security has to be automatically built into the process,” Tishelman said.
Compounding the matter are paradigm shifts in application development in the world of open source, which both can offer flexibility but also lead to vulnerabilities. “Developers are no longer building applications from scratch,” she said. “They download open source components and assemble them like Lego blocks to build applications fast.”
That need for speed can increase security risks and could even lead to exploited code being used. “After vulnerabilities are announced, many developers are still downloading vulnerable components,” Tishelman said. “Organizations continue to use those components at an alarmingly high rate without even recognizing it.” She attributed such trends to a lack of communication to inform developers of risks, coupled with components remaining circulation.
In this fast moving, continuous integration/continuous deployment era, Tishelman said developers might not have the resources to address security on their own. She recommended that organizations make a more coordinated effort to make security part of the workflow. This can include providing intelligence to developers through assets they already use. “Don’t force developers to use tools designed just for security,” Tishelman said. “Security and DevOps teams must unite in the common goal of deploying applications securely and quickly.”