Last week, several ZeroNorth thought leaders outlined what they expected to see and do at this year’s RSA Conference. The journey to DevSecOps, or continuing to bridge the relationship between security and development, is top of mind for many, as well as conference organizers. In 2019, over 800 security practitioners attended the conference’s annual DevSecOps Days, and while numbers haven’t been released yet, Monday’s packed sessions demonstrated that we’re all hungry to learn how our colleagues are handling DevSecOps, including what lessons they’ve learned.
DevOps has fundamentally changed the development and delivery of software by helping organizations get higher quality products and services to market quickly. DevSecOps is more of an ongoing cultural shift. Rather than bottlenecking innovation and speed, DevSecOps aims to integrate security into the software development process from the beginning, helping organizations (hopefully) address security vulnerabilities before they become a problem. “Baked in” rather than “bolted on.” While we have started to move away from viewing DevSecOps as a future ambition, the truth is more and more organizations are embracing it today.
Still, the spirit of DevSecOps Days was largely collaborative. Many sessions focused on the “disruption mindset” and the type of transformative leadership needed to make such a cultural shift in security. Charlene Li, author of The Disruption Mindset: Why Some Organizations Transform While Others Fail, hosted a panel with practitioners from Equifax, Intel and Attivo Networks, to discuss how companies fail when they make disruption the end goal. As Li states, “Disruption doesn’t create growth; instead, growth creates disruption.”
We’ve seen this kind of growth and disruption play out in the software development community. Software has essentially disrupted traditional product development forever and remains the beating heart of any competitive company. But as businesses rush to ship products quickly and meet their product obligations, this velocity and frequency often leads to inept or even negligent security within the software releases themselves.
On paper, DevSecOps solves these problems. Security is integrated into the software development lifecycle from the beginning, so IT and security can work together harmoniously to push out secure code. But unfortunately the reality is, each team has different work styles and processes, which means things are a bit more complex. This challenge was outlined by Larry Maccherone from Comcast, along with Sladjana Jovanovic and Bill McArthur from TD Bank, in their sessions on building trust to achieve transformation in their organizations. At ZeroNorth, we fundamentally understand that DevSecOps is not static and requires a full cultural shift, but hearing leaders from other diverse companies like Delta Airlines, Splunk and Red Hat share how exactly they’ve garnered support within their companies to integrate security into DevOps was illuminating.
The real highlight were the case studies and panel discussion around “Epic Failures in DevSecOps,” based on the book with the same title. This demonstrating of how things can go wrong was a good reminder for attendees that every failure can be viewed as a learning opportunity. As Mark Miller, co-founder of All Day DevOps, stated in the introduction to the book, “Failure is part of the process of making the cultural and technological transformation that needs to happen in order to keep innovating. It is part of the journey to DevSecOps. The stories presented here aren’t a roadmap. The stories are by people who have been sloshing around in the swamps of software development for years, figuring out how things work, and most importantly, why things didn’t work.”
Participants discussed the challenges that arose when teams weren’t pulling in the same direction, as well all the numerous communications issues that have historically existed between development and security. They also promoted their success stories where stakeholder teams worked together to build security policies, along with the importance of sharing threat intelligence early and often among teams.
Moving forward, the team at DevSecOps Days hopes these stories and events will help to surface patterns that “we as a community can use to safely push the boundaries of software development.” This dovetails nicely with ZeroNorth’s vision to empower businesses to build trusted software that we all rely on in work and life.
ZeroNorth’s platform serves as a mission control to bring together developers, IT operations and security operations teams. If you’d like to get a demo of our risk-based vulnerability orchestration platform and see how our solutions and capabilities can support DevSecOps, just fill in this short form.