In a recent episode of our Perspectives in Leadership podcast, Shea Stewart from GigaOm joined us to discuss evaluating DevSecOps tools, the benefits of a cloud-native environment, how to deploy Zero Trust without halting workflows, and other topics. Shea has a unique understanding of what it really means to integrate people, processes, and technology thanks to his experience in networking, infrastructure, solution architecture, and open source cloud native technologies.It’s beneficial to do the traditional “Rah, rah, we’re all for this,” as Shea explains on the audio episode. We all desire applications that be more secure. People, process, and tooling are always the three main components. No DevOps product exists. Although there are technologies that can make that easier, people, processes, and technology are still involved. Shea discusses the specifics of how to choose the best DevOps security technologies for your company. Below, we list some of the most important lessons we learned from this episode. The audio episode features the entire gamut of thoughts from the self-described DevOps IT nerd.
What is the value of cloud-native technology?
Shea says that witnessing teams improve their effectiveness and originality is one of his interests. This desire is in perfect alignment with cloud-native technology, as he explains, “I prefer to see teams become more self-sufficient. That was based on self-service delivery, which is eventually what I believe cloud native technology turned into. It put an end to the Word documents being sent back and forth via email and shifted us to a more rapid feedback and experimentation cycle, allowing the true geeks to geek out a little more and ask, “How can I break this in a variety of different ways?
What CSOs Should Know About Development and Deployment Pipelines
Chief Security Officers (CSOs) frequently encounter a number of issues with development and deployment pipelines. Shea observes the following challenges in many organizations and industries:
- Inconsistent policies and tools: Different release engines, security gates, checks, languages, and stacks are frequently used by teams. Sharing updated processes or capabilities between teams becomes challenging as a result. CSOs and engineering managers are unable to standardize processes or monitor the effectiveness of their teams using development and deployment pipelines. Every team’s situation is unique, therefore it becomes more of a quarterly effort to gather data and read reports.
- Verifying the authenticity of artifacts before release: Shea points out that this problem is very serious for CSOs. If the libraries you use are depending on open source, things upstream may have vulnerabilities or may have been compromised. This could manifest as not being able to confirm whether an internal employee who is about to leave has an unfavorable impression. “Once the library is within your package, you cannot confirm its legitimacy. After passing through your general checks and balances, it suddenly begins to run in production, says Shea.
- Not noticing security issues until they’re in production: There are significant difficulties in identifying security concerns after a system has gone into production. Shea cited a Canadian government system that had to be shut down because of a flaw and was unavailable for a week. “It’s much better if we can identify that sooner. We don’t actually know there’s going to be a problem until runtime until we actually add more tooling and processes to pre-deployment. It has typically been there for a while, says Shea. “In the next five years of my professional life, I hope that we won’t be discussing unpatched systems because we now have the ability thanks to automation and DevOps security solutions. That is not a valid defense. We should always be patching.
The Importance of Planning and Inclusivity When It Comes to Security
Simply stating that everyone should be in charge of security is insufficient. Organizations need to return to their people, processes, and technology if this notion is to be implemented effectively. By including security up front rather than in the middle of development or at the conclusion, planning and inclusivity are put into action.
Further, security teams can be incorporated right away into key platform and application teams. That enables communication between what the application or platform team needs and expects and what the security team wants and expects to normalize, according to Shea. A huge number of barriers will be removed as a result of that standardized communication. It’s a good exercise since it begins to develop a common understanding. The workflow can be improved and collaboration can be strengthened by using the same tools.
Does Zero Trust Hamper Productivity?
According to others, the main difficulty with zero trust is restricting access without halting workflows. Adapting to change is never easy, and frequently, people lose access to resources like servers, platforms, and tools that they ought to have never had in the first place.
Shea provides a more detailed explanation of what Zero Trust entails: “To me, the concept of zero trust involves making no assumptions about the target environment. I used to say that I didn’t have to worry about the network since we could extend Zero Trust beyond the network. If my network staff, as I assume, has taken care of that, fantastic. I’m then free to do nothing. This represents a change in attitude. This is partly due to the fact that when you look at how teams communicate with one another, you’ll see that rather than things being misconfigured, they’re just being misunderstood.
Tools and Technologies for DevSecOps Implementation
DevSecOps tools are assessed for important criteria categories in GigaOm’s radar report for subscribers. Shea points out that a variety of DevSecOps technologies and services are available in this field, doing everything from a straightforward fix to human-based coaching to offer security education. When evaluating tools and technologies for DevSecOps, he advises companies to have a key factors in mind.
Start by thinking about the tools you’re using. You may have two distinct approaches to what additional DevSecOps technologies you plug into that source code management system if you utilize GitHub rather than GitLab. Take a look at the suppliers you already work with. For instance, if you already use RedHat, check out what they provide in terms of DevOps security tools that you might be able to easily add to your current support agreements. They could offer a component of the puzzle.
Finally, be aware that there are several applications for these products and that no one provider or tool can fulfill all of your needs. You will likely have at least three or four DevSecOps tools in a good pipeline, possibly even a few more, according to Shea. There is a ton of free material available that you may utilize right now. And everything is always preferable to nothing.