Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

DevOps and Security Mingle at RSA Conference

RSA Conference 2015 — “The DevOps train is coming, and security can choose to get on board or not, but DevOps isn’t going away.”

RSA Conference 2015 — “The DevOps train is coming, and security can choose to get on board or not, but DevOps isn’t going away.”

That statement came from David Mortman, chief security architect at Dell, as he explained the main takeaways he wanted attendees of his session at the RSA Conference in San Francisco to have from his presentation, which outlined how the DevOps movement can improve security. For the past few years, the term DevOps has come into vogue as a term to describe a software development methodology stressing collaboration between developers and other IT pros throughout the development cycle.

In his talk, Mortman and co-presenter Joshua Corman of Sonatype mentioned five ways DevOps can improve security. First, is by instrumenting everything.

“DevOps pros love data and measuring and sharing that data is a key tenet of DevOps,” Mortman said Wednesday. “DevOps folks tend to instrument to a great degree in order to have deep insight into the state of their systems. Even seemingly trivial stats such as CPU temperature or fan speed can be indicators of compromise in the right situations. As Galileo famously said, measure all that is measurable, and that which is not, make measurable.”

Second, he advised organizations to be “mean” to their code.

“This idea has been heavily pushed by the folks Netflix who bump it a tool called Chaos Monkey, which intentionally initiates faults to help ensure that systems are resilient and stable,” he said. “By forcibly failing in controlled ways we can build better stronger code faster.”

Reducing complexity and focusing on change management are third and fourth on his list.

“DevOps orgs tend to be extremely process oriented and leverage automation whenever possible,” he said. “As a result of the use of systems like Chef and Puppet or Jenkins these orgs have also automatically created change management/change tracking systems. This not only improves security and operations but also makes auditors happier.”

But perhaps the most important aspect of the DevOps movement is empathy, he said.

“Only by understanding and having empathy for the needs and concerns of all the players can we effectively build software,” said Mortman. “It’s time to break down silos and talk to each other like friends instead of enemies.”

A recent survey from CA Technologies noted that of the roughly 1,400 people surveyed, 88 percent said they had either already adopted or planned to adopt DevOps within the next five years. Still, security and compliance issues were cited by 28 percent of respondents as obstacles to DevOps. Perhaps not surprisingly, the RSA conference added a track that included DevOps for the first time this year.

According to Andrew Storms, vice president of security services at New Context, security can serve as a force multiplier when it comes to DevOps. In his talk Friday, Storms plans to delve into this very issue. If security teams and developers can be brought together – not just in terms of people, but also when it comes to processes, tools, orchestration and configuration management, it can be a huge leap forward for both groups, Storms told SecurityWeek.

“DevOps is a journey and there is a lot more to it than just lots of deploys per day,” Mortman said. “Start small and start now. It’s a journey and takes time, so don’t delay.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...