RSA Conference 2015 — “The DevOps train is coming, and security can choose to get on board or not, but DevOps isn’t going away.”
That statement came from David Mortman, chief security architect at Dell, as he explained the main takeaways he wanted attendees of his session at the RSA Conference in San Francisco to have from his presentation, which outlined how the DevOps movement can improve security. For the past few years, the term DevOps has come into vogue as a term to describe a software development methodology stressing collaboration between developers and other IT pros throughout the development cycle.
In his talk, Mortman and co-presenter Joshua Corman of Sonatype mentioned five ways DevOps can improve security. First, is by instrumenting everything.
“DevOps pros love data and measuring and sharing that data is a key tenet of DevOps,” Mortman said Wednesday. “DevOps folks tend to instrument to a great degree in order to have deep insight into the state of their systems. Even seemingly trivial stats such as CPU temperature or fan speed can be indicators of compromise in the right situations. As Galileo famously said, measure all that is measurable, and that which is not, make measurable.”
Second, he advised organizations to be “mean” to their code.
“This idea has been heavily pushed by the folks Netflix who bump it a tool called Chaos Monkey, which intentionally initiates faults to help ensure that systems are resilient and stable,” he said. “By forcibly failing in controlled ways we can build better stronger code faster.”
Reducing complexity and focusing on change management are third and fourth on his list.
“DevOps orgs tend to be extremely process oriented and leverage automation whenever possible,” he said. “As a result of the use of systems like Chef and Puppet or Jenkins these orgs have also automatically created change management/change tracking systems. This not only improves security and operations but also makes auditors happier.”
But perhaps the most important aspect of the DevOps movement is empathy, he said.
“Only by understanding and having empathy for the needs and concerns of all the players can we effectively build software,” said Mortman. “It’s time to break down silos and talk to each other like friends instead of enemies.”
A recent survey from CA Technologies noted that of the roughly 1,400 people surveyed, 88 percent said they had either already adopted or planned to adopt DevOps within the next five years. Still, security and compliance issues were cited by 28 percent of respondents as obstacles to DevOps. Perhaps not surprisingly, the RSA conference added a track that included DevOps for the first time this year.
According to Andrew Storms, vice president of security services at New Context, security can serve as a force multiplier when it comes to DevOps. In his talk Friday, Storms plans to delve into this very issue. If security teams and developers can be brought together – not just in terms of people, but also when it comes to processes, tools, orchestration and configuration management, it can be a huge leap forward for both groups, Storms told SecurityWeek.
“DevOps is a journey and there is a lot more to it than just lots of deploys per day,” Mortman said. “Start small and start now. It’s a journey and takes time, so don’t delay.”