How do you build an organization so security is the default, not the afterthought?
The rise of attacks demonstrates an ever increasing need to protect ourselves because critical, interconnected systems are controlled by software. Security must "shift left" and be embedded into the software supply chain from the start.
As Aubrey Stearn says, "How do you become blue by default?"
Aubrey Stearn (@auberryberry), is a DevSecOps practitioner, guru, and frequent conference presenter. She is also a contributor to the recently published book Epic Failures in DevSecOps, edited by Sonatype's Mark Miller.
Aubrey points out that she “Doesn’t work in security, but is part of security.”
Her session, Blue By Default - Extract The Value From Security Investment, begins by observing that the cadence of DevOps is well established. Yet, security moves much faster and is influenced by external factors. We can’t do anything to slow security down, so we have to be prepared by having it embedded into everything we do. But, how do we get there?
It requires a cultural transformation based on trust. Development needs to know security wants to work with them, not against them. Security needs to know development is building security into everything they do, working with a security mindset. Operations has to trust development to follow the policies and procedures to protect the applications.
Often trust is compromised because good intentions are followed by bad execution. As Aubrey states, “If you make my life hard, I will cut corners and do stupid *&!*@!”
As a real life example, she told a story of having to use two laptops at one company. She couldn’t do the work she wanted to do on the company laptop due to a company policy prohibited cutting and pasting into the email app and Microsoft Teams. So she finally sent the email from her personal account to her coworkers, but it was hit by the profanity filter.
You have to find policies and procedures that reduce the friction for compliance to increase compliance. That begins with trust, but includes verification.
Another high-level tip from Aubrey is to deconstruct challenges into smaller, manageable chunks. She often sees this done the wrong way by not breaking tasks down into small enough chunks. For instance, she suggests building Docker locally as a way to show value right away. You can then put it into the CI pipeline for another big win, and, finally, into three distinct environments.
Finally - in the category of high-level principles to be blue by default - is to change the order of security in the software development lifecycle. Too many organizations have a lifecycle that count development as the “done” point and then they test and then add-in security.
But, you need to shift that by reordering: Dev→Security→Test→Done. This is the true cycle time and places security in its proper place.
In the end, she wants you to know, “Security is buildable, start today!”
Helpfully, as a starting point, she also walked through numerous attack vectors and how to build security into your system to protect them. She addressed everything from supply chains to endpoints to infrastructure. Her presentation is solution-oriented, practical, and geared towards developers and security practitioners. You can watch her full presentation below.
Register for the fourth annual All DayDevOps 2019, a day to discuss a variety of "blue by default" strategies impacting security, CI/CD, cloud native infrastructure, cultural transformation, and site reliability engineering.