DevOps

DevOps
How do you promote security as a fundamental aspect of DevOps in your organization?

Top Answer : We're just starting to talk to customers and reach out. The customers have all these questions for us, "Hey, what data of ours do you have? Where are you tracking it? Where are you putting it? How are you restricting who has access to it? Are you doing your annual pen test, and your monthly or weekly, or whatever scans to make sure you don't have any vulnerabilities?" The thing is, if you don't have somebody who comes in and tells you that it's important to [have good security practices], then you're going to do the bare minimum. If you have to answer no on some of these questions, it makes it really obvious that having good security hygiene is actually a sales driver. Not only does it make good sense because you're being a good steward of your customer's data, but it's also going to help you make the money through sales, because your customers are going to trust that you're at least doing the obvious things to get yourself in shape to protect their data.

12 views
5 comments
1 upvotes
Related Tags

Pulse Flash Read: Don’t Let Open Source Become Open Sores

Open source, as a concept, seems to encapsulate the best of what the internet was intended for—a truly global teamwork-makes-the-dreamwork coding hivemind built on the principle that information should be shared. It’s a valuable tool for enterprise and amateur coders alike: enterprises make aspects of their code open source, and an aspiring developer on the other side of the world can discover flaws in that code or suggest improvements while simultaneously honing their technical skills.  Perfect, right? Of course not.  The open book of code that makes up open source libraries also means that whoever desires can peruse those pages purely to find — and exploit — vulnerabilities. Open source is full of these proverbial ‘unknown unknowns’.  The communities running open source code databases are, of course, aware of this, and leverage the community hivemind to discover weaknesses and turn some of those ‘unknowns’ into ‘knowns’ by releasing crucial ‘patches’. The key for those using this code in their software is implementing those patches before the bad actors get in.  It would be brilliant if the organizations using open-source code simply had to turn on auto-update and leave their devices connected to wifi overnight to implement these patches.  However, organizations tend to have geological tech stacks that are formed with layers and layers of code from different eras. Each one of those layers could feature tiny pieces of code from dozens of open source libraries. If one of those libraries becomes compromised, would anyone in IT even remember if they used it? Each instance of open source across the whole code stack could turn into an open wound that, left untreated, could fester into a big problem for the whole organization. Keeping track of the ‘Software Supply Chain’ that forms the code stack is near impossible for teams relying on human oversight. Just because Hollywood Hackers spend Red Bull-fueled nights searching open source libraries for vulnerabilities doesn’t mean the security team can operate 24/7.  It’s a wide issue that needs to be addressed before the tentacular reach of Big Data accelerates beyond the reach of organizations, who may find their data silos are actually about as leak-proof as the White House. Thankfully, awareness is being raised due to efforts such as the
Open Source Security Foundation (OSSF), which brings leaders from across industries together with the common goal of increasing knowledge, creating guidelines, and delivering solutions that prevent open source security issues. Though we’ve seen DevOps adoption rise over the last few years to enhance cross-team continuous development efforts, embedding security into that collaborative effort seems to be proving problematic. Not from a tech standpoint. That might be the easier fix. The problem seems to stem from an internal culture stalemate. Dev and Sec simply don’t want to be teaming up to form any kind of common language or goal (though here’s a handy guide to how that might be overcome). While that’s a problem that needs some innovation and real-talk to fix, a number of vendors have stepped up to push security into that category, offering external DevSecOps tools specifically to tackle open source security (OSS).  GitHub, perhaps the apogee of the open source community, has developed a suite of tools that automate security detection and deployment (including the reassuringly named ‘Dependabots’) and recently joined the OSSF. Synopsys stands alone in the top right corner of the Gartner Magic Quadrant in the category Gartner calls ‘Application Security Testing’, offering ‘end-to-end’ integration of automated security tools, from training through integration to management.  HCL Software is named in the ‘visionary’ section of that same Magic Quadrant, and offers an affordable yet robust-sounding tool suite meant to augment the DevOps process called ‘OneTool’. Contrast deploys an ‘Intelligent Agent’ to detect and scan open source libraries within codestacks, enforcing custom policies in real-time. WhiteSource is aimed at those who are specifically seeking out open source libraries for development, and, frankly, has the nicest looking website.  Maybe, if DevOps can find a way to fit security into a loving embrace and truly form the desired DevSecOps, and with the right toolkit, auto-update in some sense might just be possible after all.

Top Answer :

Does adhering to compliance standards necessarily mean that your DevOps are secure?

Top Answer : I view compliance as non nonfunctional requirements that have to go into every single backlog. Security, on the other hand, needs to go into every single item within the backlog. So it's not like a checklist at the end when you're done something, it is part of everything that you do. Stepping out a little bit more, the architecture is key. People get wrapped around the axle with tools, and they want to build these pipelines for the latest and greatest things. All of a sudden, they think, "We're going to turn this thing on, and we're going to be so much more efficient." But then they forget that their code is not as agile as their pipeline. A one-line change can easily take two hours to build inside of a pipeline, because your code is not as efficient as the pipeline. But it’s the same thing with security architecture, there needs to be consideration for how to build that in, into some type of way that services and optimizes the development in itself. That's how it's far different from compliance. It has to be built in. You have to take a step back and realize where you need to build that in, just as much as you need to build the agility into your code base.

12 views
5 comments
1 upvotes
Related Tags
What is DevSecOps, as opposed to DevOps?

Top Answer : DevSecOps is people, processes and tools. No matter what, if you’re being an advocate for change in organizations and leading a number of agile transformations, those things have to work together to drive the security posture. You can have security, but it only gets you so far without DevSecOps. The foundational component really is culture. DevSecOps gets misconstrued as just being tools, and building a pipeline, but it's so much more than that. It's that broad encompassing cultural piece that really unites it in all fronts. Everybody's responsible for the security posture, no matter what your role is. You have to have the posture for the continuous cycles that go through DevOps and you have to have a culture that supports it. The culture can’t work in silos: everybody shares responsibility because there's a common mission. We all, no matter what we do, no matter what our specialty is, have a responsibility in marching towards that mission. Whether you call it DevOps or DevSecOps, I prefer DevOps, because I feel like security needs to be inherent in it.

16 views
3 comments
2 upvotes
Related Tags
What tools can help move security into an ingrained position, rather than an add-on, in DevOps?

Top Answer : The companies that seem to have the best grasp around creating a non-adversarial relationship between development and security have more people, not more tools. It's the ingrained product security officers and the security engineers that are part of the DevOps team, that are maybe even reporting up through heads of engineering and so forth. People have particular skills that they bring to any team. The security engineer sits right next to the QA stress testing engineer. They're all working together, and it's just a function of the process. It's not software development and security. It's software development and the security pieces, right in there with any other stress or input testing that you would do as part of the process. I also think having people closer to the business, closer to the engineering teams, allows for that level of awareness training that you need to really instill this through the culture. Otherwise, you're just listening to somebody who's five steps away from you on an org chart talk about security. You're not working with them on a daily basis.

5 views
2 comments
1 upvotes
Related Tags
Choose your preferable search engine and mention the reason below:

Top Answer : Elasticsearch: Very good log analytics and visualization with Kibana

Modernizing Customer-Facing App DevelopmentModernizing Customer-Facing App Development

This Pulse survey of 100 IT and engineering leaders uncovers how companies are prioritizing and optimizing customer-facing application development.

0 views
0 comments
Related Tags
How has COVID impacted your organization's plans to adopt Agile practices?

Top Answer : Not exactly, Using right tools we had the approach going on smoothly.

20 views
2 comments
0 upvotes
Related Tags
Streamlining Application DevelopmentStreamlining Application Development

Without an agile platform, application development can be a resource bottleneck for IT teams. The Pulse CIO community shares why.

0 views
0 comments
Related Tags
Changing DevOps SpendChanging DevOps Spend

As budgets tighten, how is DevOps spending changing? We surveyed hundreds of executives to find out.

0 views
0 comments
Related Tags