The Search for a Plan to Bolster DevSecOps Against Attacks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:00 AM
Connect Directly

The Search for a Plan to Bolster DevSecOps Against Attacks

Developers under pressure to deploy may benefit from incorporating security resources into the tools they have on hand.

With an ominous warning to automate or die, the combination of security with DevOps was the focal point of discussion last week at the NYCDevOps meetup. Irina Tishelman, solutions architect for Sonatype, which develops solutions to automate DevOps, spoke at the event, delivering a call to action for organizations to get on board with DevSecOps principles. “Emphasize the performance of the entire system and never pass a defect downstream,” she said.

As hackers continue to grow in guile and craftiness, Tishelman said improved communication between security teams and developers could give organizations a better chance at locking down their vulnerabilities. There is a desire though to maintain speed of deployment even when confronted with the scale of cybercrimes. So far in 2019, some 4.1 billion records may have been exposed across 3,800 data breaches, Tishelman said, and the year is not done yet. “This is our new reality where all kinds of companies are challenged by hackers who are more and more sophisticated,” she said.

Irina Tishelman, solutions architect for SonatypeImage: Joao-Pierre S. Ruth
Irina Tishelman, solutions architect for Sonatype

Image: Joao-Pierre S. Ruth

Tishelman suggested that organizations might draw insight from the book The Phoenix Project, a novel by team including DevOps pioneer Gene Kim, that likens software development and IT operations to manufacturing and supply chains. She highlighted the need to create fast feedback resources to catch security issues before they are passed along. “If something bad happens, we need a way for you to tell us about that,” she said.

Citing giants such as Netflix, Facebook, and Amazon, Tishelman said speed of delivery is of course crucial for organizations that might deploy multiple, if not hundreds of times per day. “Only those who master large-scale software delivery will define the economic landscape of the 21st century,” she said, “the same way as the masters of mass production defined the landscape in the 20th century.”

The accelerated development lifecycle at Facebook, Tishelman said, is an example of matching customer expectations for constant delivery of software. The pressure to keep up must be tempered, she said, with implementing security. “This is when DevOps transitions to DevSecOps because security has to be automatically built into the process,” Tishelman said.

Compounding the matter are paradigm shifts in application development in the world of open source, which both can offer flexibility but also lead to vulnerabilities. “Developers are no longer building applications from scratch,” she said. “They download open source components and assemble them like Lego blocks to build applications fast.”

Unlike in the manufacturing world, where suppliers and manufacturers may have clear relationships, communication can be murky in the software supply chain. For example, she pointed out that there are some 10 million Java developers around the world and 6.5 million JavaScript developers, all who download high volumes of open source components on a regular basis to fuel rapid releases. “Speed matters,” Tishelman said. “Why write code that can take months when you can download it in a few seconds?”

That need for speed can increase security risks and could even lead to exploited code being used. “After vulnerabilities are announced, many developers are still downloading vulnerable components,” Tishelman said. “Organizations continue to use those components at an alarmingly high rate without even recognizing it.” She attributed such trends to a lack of communication to inform developers of risks, coupled with components remaining circulation.

In this fast moving, continuous integration/continuous deployment era, Tishelman said developers might not have the resources to address security on their own. She recommended that organizations make a more coordinated effort to make security part of the workflow. This can include providing intelligence to developers through assets they already use. “Don’t force developers to use tools designed just for security,” Tishelman said. “Security and DevOps teams must unite in the common goal of deploying applications securely and quickly.”

Joao-Pierre S. Ruth has spent his career immersed in business and technology journalism first covering local industries in New Jersey, later as the New York editor for Xconomy delving into the city's tech startup community, and then as a freelancer for such outlets as ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
What Comes Next for AWS with Jassy to Become Amazon CEO
Joao-Pierre S. Ruth, Senior Writer,  2/4/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll