Spring training for Major League Baseball in the US starts this Friday. While millions of people share my love for baseball, the same can’t be said for security and compliance - well, at least not yet. Perhaps one day.
Much like in the immortal baseball movie, Field of Dreams, if you build a friendly security and compliance system, the developers and operators will come. At least, that is the contention of Julie Tsai (@446688), Senior Director, Security Operations at Box.
I first met Julie at the RSA conference’s DevSecOps Days three years ago and have been following her musings since. I recently watched Julie’s presentation “Build It and They Will Come-pliant: DevSecOps in the Real World” from All Day DevOps. Here is a summary of what I learned:
Good architecture sustains sound applications and security
Julie’s contention is that you can build a system that might actually bring a little joy to developers and operators, and it starts with realizing that, at the end of the day, we are all looking for good architecture. Good architecture sustains sound applications and security. It makes everyone’s life easier - so we all have a little time for baseball (or football or board games or even curling).
The good news is that DevOps organizations are ahead of the game. Julie pointed out the old joke, “DevOps, isn’t that just where you give the keys to the developers?” Well, no, and it isn’t a specific tool or deployment. For security, it is about being lean on requirements, building compliance in from the start, and integrating it across the development lifecycle so you can build something that is secure and performant. Besides being best practices for developers, you can also use your code and policies to appease your auditors as compliance is built in. Bottom line - DevOps puts the rigor around security and compliance.
It Takes a DevSecOps Village
Julie points out a couple of takeaways from DevOps that help security and compliance:
Remove Friction to Scale DevSecOps
The goal here is to ultimately get us something easier to scale and maintain and be compliant and secure. Julie outlines steps to get you closer to this idyllic system:
DevSecOps: Where Things Go Wrong
With these in place, Julie contends you need to realize the world isn’t perfect, so you need to build a system that injects security and compliance where it is most effective. To find the areas in the development lifecycle that it is important to inject, ask these questions:
DevSecOps: String Together Wins
You also need to make it simple. She quoted Mark Burgess, “IT has a detail sickness,” noting that, “We are often burdened by complexity - we love it and dig right in, but it is important to understand the level of granularity you need. You need to look for the things that can make a critical uplift that gives you an incremental improvement. String together the wins.”
In the end, Julie says to, “try to reach a goal of being visible and streamlined and leverage the automation and technology in a way that is joyful in how we use it. It is not about a rigid process that is going to die soon - it is about what we are trying to bring to the whole world so that we work more efficiently and more technical.”
The entirety of Julie’s presentation - including some live Q&A - is available for here. If you missed any of the other 100 speakers at All Day DevOps, you can find their 30-minute presentations here.