DevOps Mini-Track: The only reason security really matters for DevOps presented at sourcemesa 2018

by Caroline Wong,

Summary : DevOps. A buzzword for the C-suite and technology teams, it can inspire anxiety in the most mature security professional. In order to truly understand how to effectively integrate security into a DevOps environment, we must be honest with ourselves about why security matters in the first place. This session reveals the secret to ensuring success of your security team in a DevOps world.A few of the most influential years of my security career were those spent managing the security program and writing the first ever security policy for Zynga – “the FarmVille company.” Zynga was one of the first companies to leverage DevOps practices and the cloud to allow for unpredictable growth. Automated tools for provisioning and detecting changes, real-time monitoring and feedback based on player behavior, and lots of data analytics contributed hugely to the company’s early success. FarmVille, which launched in 2009, went from zero to 10 million daily users in just a few weeks.Several years later, DevOps is a “thing.” This talk begins by exploring the answer to the question, why does DevOps matter? Businesses do what they need to do to survive and succeed. If their customers need agility, then they will evolve to accommodate that. Next, I discuss the key differences between a pre-DevOps world and the post-DevOps world. Before, it was about on-premise and protecting the perimeter and enforcing gates in the software development lifecycle. Now, supply chain security is king. Applications and APIs matter more and more. And everything is mobile.A detailed look at 10 companies “killing it at DevOps” reveals that for agile companies, security is a strategic business driver. It prevents unplanned work and re-work, and security requirements are explicitly specified during the sales process as part of vendor security assessments. Additional drivers for security also include avoiding bad press and compliance reasons – both of which, if you look under the covers, are ultimately about getting more sales. I look at the actual language in Bill Gates’ Trustworthy Computing memo and see that in fact even Microsoft’s “noble” initiative was all about the money.That being said, what’s a security professional to do? BSIMM has 113 controls, ISO27017 has 121, and CCM has 133. It’s enough to make a person’s brain explode. This session concludes with my expert recommendations on how to think about security for DevOps in a way that aligns with a modified version of the NISF Cybersecurity Framework. I simplify the 5 points (Identify, Prevent, Detect, Respond, and Recover) to just 3 (Identify, Prevent, and React) and conclude the session with detailed recommendations for how to incorporate practical security concepts into a DevOps environment using this simple framework.