Traditional security has thrived in culture of “no.”
The Culture of “No”
We have all met that wall. And when those walls exist, people find ways around them. The workarounds make their lives easier. They implement what they think is best. Their efforts are not intentionally destructive, but can lead to unintentional vulnerabilities and, potentially, harm.
At All Day DevOps, DJ Schleen (@dschleen) tackled security issues in his talk, Automating Security in DevOps - Security in the Pipeline. While he studied physical architecture and design, he now works in software security architecture and is a DevSecOps Evangelist for insurance giant Aetna.
The culture of “no” is exactly the kind of culture DevOps is designed to improve, and, as DJ asserts in his talk, “DevOps is an unprecedented opportunity for security.” DevOps provides a system to react quickly by supporting a continuous delivery culture and the addition of security controls into an automated environment.
Invest in People
DevOps is also about investing in people, improving the lines of communication between development, operations, and security, and automating where you can automate to give humans the ability to focus on what we do best. You maximize success with DevOps when you invest in people, which, in turns, also improves your processes and tools.
So, how do we change security from a culture of “no” to a culture of “yes” - or, perhaps more appropriately, “Yes, but this is what it looks like.”
To start, DJ first looks at the underlying system and asks, “Is Agile ‘agile’ enough” to force this change. When his answer is answer “no” he knows it’s time for DevOps.
Too often, Agile is just a collection of mini waterfalls. DJ states, “DevOps breaks the chain of waterfalls. With DevOps you can get fixes out quickly and easily. No one has to come in on Saturday.”
Building Security into the DevOps Pipeline
To fully recognize the benefits of DevOps for security, DJ notes you must build security into the pipeline, automate wherever possible, and have security professionals code too. DJ outlines some goals:
Chaos in Your Comfort Zone
What are some practical techniques DJ recommends? First, introduce chaos.
Chaos is a matter of stretching your comfort zone. DJ recommends going beyond traditional monitoring. Consider:
DJ digs into the details of each of these techniques, but, in the end, it all comes back to introducing chaos to improve your preparedness for attacks and your understanding of the entire system.
Of course, this approach has challenges. DJ mentions selecting the right tool sets, tailoring the people, processes, and tools to unique environments, teaching old dogs new tricks, having multiple “flavors” of DevOps, and making KPIs and indicators actionable.
Don’t Go the Road Alone
To dig into the details with DJ, watch his full talk for free here. Then if you have any questions, ping him on Twitter (@dschleen) where he is very active in the community. We all learn from one another, so don’t go the road alone.
In the meantime, his takeaways are:
If you missed any of the other 100 speakers at All Day DevOps, you can find their 30-minute presentations here.