Security is in crisis. Can security, as an industry, rise to the demands of DevOps? Is the DevOps culture able to handle security and all of its baggage? Will security destroy the DevOps culture?
These are the questions James Wickett (@wickett) addressed in his talk at the 2018 Nexus User Conference. If you haven’t heard James speak previously, he is an InfoSec guy who embraces DevOps. He writes DevOps training for Lynda.com and is a founder of the Gauntlett open source project and DevOps Days Austin. Currently, he is the Director of Research for Signal Sciences.
As an alumni of both large organizations and small startups he has seen the worst, the better, and the worst transforming to the better. He now sees security at forward-leaning development shops - where it wasn’t before - and applauds the juxtaposition of the old and new, to create, and embrace, DevSecOps. But, the path to enlightenment isn’t always clear. Which, is why James lays out a” yellow brick road,” of sorts, for those still wandering in the darkness.
James first big company job was at an ecommerce organization with $1 billion in annual sales. He had brutal on-call shifts, 24 hour+ deployments, and waterfall, waterfall, and more waterfall. The good news - “friends are born from adversity.”
James then moved to a startup where he found cloud services, lots of failure, lots of happiness, and a feeling that this is how he wanted to live his life. However, in 2010 he rejoined his old team - the same friends born from adversity.
Enter DevOps. Back at the big company, they were embracing DevOps principles. They were not at a Continuous Deployment level yet, but they did have daily deploys. They ended up delivering 4 SaaS products in 2 years using DevOps and cloud services.
During this time, he realized that for DevOps to succeed, the culture needed to lean even more Ops, because for every operations staff, there tend to be ten developers. Even more tilted - for every 100 developers, there tends to be one security staff. Despite this, James had hope to pull security into DevOps, and saw the potential for DevSecOps - to become mainstream.
James touts DevSecOps in part because security is in a crisis. As he quotes Steven Bellovin from Thinking Security, “Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process.”
He also quotes Michael Zalewski, from The Tangled Web: A Guide to Securing Modern Web Applications, “[Security by risk assessment] introduces a dangerous fallacy: that structure inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work.”
James asserts that the reality is that security must change or die, and he lays out the old path juxtaposed with the new path:
|Old Path||New Path|
|Embrace security||Create feedback loops|
|Just past audit||Compliance adds value|
|Build a wall||Zero trust networks|
|Slow validation||Fast and non-blocking|
|Certainty testing||Adversity testing|
|Test when done||Shift left|
|Process driven||The paved road|
He also reminds us that for DevSecOps to work, the culture of the organization has to embrace it. He quoted Patrick Douglas, who coined the term DevOps, “Culture is the most important aspect to DevOps succeeding in the enterprise.”
To that, James believes there are four keys to strong culture:
While it’s easier said than done, the ramifications of not creating that strong culture, can be fatal.
To hear more from James, including about rugged security and tying performance and function to your compute resources, list to his full talk, for free, here. Listen to all of the talks from the 2018 Nexus User Conference here.