What tools can help move security into an ingrained position, rather than an add-on, in DevOps?

The companies that seem to have the best grasp around creating a non-adversarial relationship between development and security have more people, not more tools. It's the ingrained product security officers and the security engineers that are part of the DevOps team, that are maybe even reporting up through heads of engineering and so forth. People have particular skills that they bring to any team. The security engineer sits right next to the QA stress testing engineer. They're all working together, and it's just a function of the process. It's not software development and security. It's software development and the security pieces, right in there with any other stress or input testing that you would do as part of the process. I also think having people closer to the business, closer to the engineering teams, allows for that level of awareness training that you need to really instill this through the culture. Otherwise, you're just listening to somebody who's five steps away from you on an org chart talk about security. You're not working with them on a daily basis.

5 views
2 comments
1 upvotes
Related Tags
Anonymous Author
The companies that seem to have the best grasp around creating a non-adversarial relationship between development and security have more people, not more tools. It's the ingrained product security officers and the security engineers that are part of the DevOps team, that are maybe even reporting up through heads of engineering and so forth. People have particular skills that they bring to any team. The security engineer sits right next to the QA stress testing engineer. They're all working together, and it's just a function of the process. It's not software development and security. It's software development and the security pieces, right in there with any other stress or input testing that you would do as part of the process. I also think having people closer to the business, closer to the engineering teams, allows for that level of awareness training that you need to really instill this through the culture. Otherwise, you're just listening to somebody who's five steps away from you on an org chart talk about security. You're not working with them on a daily basis.
0 upvotes
Anonymous Author
I think that despite the proliferation of tools, and there are certainly good tools, without a strong culture of actually being willing and able to use those tools, spending more on tools is not going to help you. My experience is that people's attitudes need to shift left before any kind of tooling can really make an impact. How do you get people's best participation? You get their buy-in first, you get their commitment to whatever your fundamental principle is. Then, you're figuring out how to get there, and then that's where the tool can come in. So, the first thing is getting people interested in keeping things secure, getting people interested in breaking things apart, even. One of the great things that my company's doing is, once a week or every other week, the developers get together and review a component of our application and look at the inputs and how the data gets processed. They do things like fuzzing and they see, "Okay, well where are the opportunities for us to add in more security?" Now that's a team that I will be delighted to help build more pipeline tools, so that they can do security testing. A team, on the other hand, that doesn't really have any awareness of, "Hey, it's possible that people could somehow put in bad input, whether on purpose or accidentally." That's a team that isn't ready for a pre-commit hook to come in and say, "Hey, Whoa, you need to look at this thing," whether it’s, “you're adding a credential into your commit”, or “this function is potentially vulnerable to a buffer overflow.” They're not ready to jump in and take the next step. We've all been in situations where we've spent money on something, and then, "Hey, we've deployed it, but we never tuned it, and we never did anything with it." It really doesn't help the company. So it's got to be a mindset, and it's got to be an integration of the tooling into your existing infrastructure. That is where the culture of DevSecOps may help people understand that it's security tools plus security practices that will lead to better security improvements.
0 upvotes