Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

DevOps and Security Mingle at RSA Conference

RSA Conference 2015 — “The DevOps train is coming, and security can choose to get on board or not, but DevOps isn’t going away.”

RSA Conference 2015 — “The DevOps train is coming, and security can choose to get on board or not, but DevOps isn’t going away.”

That statement came from David Mortman, chief security architect at Dell, as he explained the main takeaways he wanted attendees of his session at the RSA Conference in San Francisco to have from his presentation, which outlined how the DevOps movement can improve security. For the past few years, the term DevOps has come into vogue as a term to describe a software development methodology stressing collaboration between developers and other IT pros throughout the development cycle.

In his talk, Mortman and co-presenter Joshua Corman of Sonatype mentioned five ways DevOps can improve security. First, is by instrumenting everything.

“DevOps pros love data and measuring and sharing that data is a key tenet of DevOps,” Mortman said Wednesday. “DevOps folks tend to instrument to a great degree in order to have deep insight into the state of their systems. Even seemingly trivial stats such as CPU temperature or fan speed can be indicators of compromise in the right situations. As Galileo famously said, measure all that is measurable, and that which is not, make measurable.”

Second, he advised organizations to be “mean” to their code.

“This idea has been heavily pushed by the folks Netflix who bump it a tool called Chaos Monkey, which intentionally initiates faults to help ensure that systems are resilient and stable,” he said. “By forcibly failing in controlled ways we can build better stronger code faster.”

Reducing complexity and focusing on change management are third and fourth on his list.

“DevOps orgs tend to be extremely process oriented and leverage automation whenever possible,” he said. “As a result of the use of systems like Chef and Puppet or Jenkins these orgs have also automatically created change management/change tracking systems. This not only improves security and operations but also makes auditors happier.”

Advertisement. Scroll to continue reading.

But perhaps the most important aspect of the DevOps movement is empathy, he said.

“Only by understanding and having empathy for the needs and concerns of all the players can we effectively build software,” said Mortman. “It’s time to break down silos and talk to each other like friends instead of enemies.”

A recent survey from CA Technologies noted that of the roughly 1,400 people surveyed, 88 percent said they had either already adopted or planned to adopt DevOps within the next five years. Still, security and compliance issues were cited by 28 percent of respondents as obstacles to DevOps. Perhaps not surprisingly, the RSA conference added a track that included DevOps for the first time this year.

According to Andrew Storms, vice president of security services at New Context, security can serve as a force multiplier when it comes to DevOps. In his talk Friday, Storms plans to delve into this very issue. If security teams and developers can be brought together – not just in terms of people, but also when it comes to processes, tools, orchestration and configuration management, it can be a huge leap forward for both groups, Storms told SecurityWeek.

“DevOps is a journey and there is a lot more to it than just lots of deploys per day,” Mortman said. “Start small and start now. It’s a journey and takes time, so don’t delay.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.