Gunnar Assmy - Fotolia
DevOps is about getting software prototypes written and committed in internet time. That can mean up to 100 deployments or more a day. In theory, the DevOps concept gets rid of the silos that buttress traditional models of development, operations and, yes, security. While cloud service companies lead the charge, many organizations today have pockets of DevOps scattered throughout project teams and business units.
With fast and continuous delivery of functionality a competitive advantage in public-facing cloud environments, Agile development requires a security model that can keep pace. Unfortunately, security is still an afterthought at many companies -- but not at all. Technology journalist Robert Lemos profiles craft marketplace Etsy and other early proponents of DevSecOps, which recognizes built-in security checks alongside the push toward automation of development and operations processes.
"Training security to not say 'no' all the time is only part of the answer," writes Lemos.
Etsy's security engineers used graphs to provide visibility to developers (and everyone else) in a timely manner. The craft marketplace was also an early proponent of postmortems, which hold developers accountable. In a "blameless" environment, DevSecOps engineers walked through the detection process, timeline, vulnerability analysis and remediation. Failure was viewed as a powerful educational experience.
"Security is not a tech problem; it's a knowledge problem," Nick Galbreath, Etsy's former director of engineering, told a DevOpsDays audience in Austin, Texas in 2012, when he led many of the DevSecOps efforts at the company. "Once people can see stuff, it's real," he maintained.
Galbreath has since moved on, with two former colleagues, to found Signal Sciences, a web application security firm. The startup aims to provide a next-generation web application firewall that supports DevSecOps initiatives in organizations using cloud, physical and containerized infrastructure.
While many companies ponder the cultural shifts around DevSecOps, retailers and banks are facing a seismic shift of their own. As chip and signature technology (finally) emerges in the United States, it's worth noting that two retailers that suffered colossal breaches are among the proponents of chip and PIN cards, a global standard that adds an extra four digits of security. Target now requires a PIN on its store-brand chip cards. Home Depot is also behind chip and PIN card technology. Wal-Mart wants it, too, which may mean that PIN is a done deal. Technology journalist Steve Zurier examines both sides of the argument as the lawyers are called in by Wal-Mart and other retail giants.
Home Depot and Target both faced class-action lawsuits after reported negligence in their handling of security -- namely customer data. Lawsuits after a breach are still relatively rare. Unfortunately for Home Depot and Target, lawyers generally make multiple filings against a big-name defendant rather than pursue smaller companies that have failed to protect sensitive information. Long-time contributor Adam Rice, the CISO at defense contractor Cubic, and Lisa Borsotti, in-house senior counsel and privacy officer, join forces to examine the intersection of interdisciplinary responsibilities. "As laws have emerged to protect against the proliferation of cybercrime, the digital medium itself has become a risk to a business," the authors write. They unravel the tensions in CISO-counsel relationships and maintain that early collaboration can help companies navigate the labyrinth of data protection laws before the lawyers come calling.
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.
Why one security expert decided to join the DevOps movement
Make security a key part of each step in your DevOps process
Podcast: Puncturing the myths around DevOps
- E-Guide: Best practices for pen testing Web applications –SearchSecurity.com
- Secure Web Gateway Overview: Implementation Best Practices –SearchSecurity.com
- Methods & best practices to reduce application security risk –TechTarget
- Mobile Application Security Best Practices to Protect Corporate Data –SearchSecurity.com