Information Security

Defending the digital infrastructure

Gunnar Assmy - Fotolia

Get started Bring yourself up to speed with our introductory content.

DevSecOps: Security leaves the silos (and badges) behind

Delays, "no" and "redo that work" causes many developers to avoid IT security. With DevOps, proponents aim to make security at scale everybody's problem.

DevOps is about getting software prototypes written and committed in internet time. That can mean up to 100 deployments or more a day. In theory, the DevOps concept gets rid of the silos that buttress traditional models of development, operations and, yes, security. While cloud service companies lead the charge, many organizations today have pockets of DevOps scattered throughout project teams and business units.

With fast and continuous delivery of functionality a competitive advantage in public-facing cloud environments, Agile development requires a security model that can keep pace. Unfortunately, security is still an afterthought at many companies -- but not at all. Technology journalist Robert Lemos profiles craft marketplace Etsy and other early proponents of DevSecOps, which recognizes built-in security checks alongside the push toward automation of development and operations processes.

"Training security to not say 'no' all the time is only part of the answer," writes Lemos.

Etsy's security engineers used graphs to provide visibility to developers (and everyone else) in a timely manner. The craft marketplace was also an early proponent of postmortems, which hold developers accountable. In a "blameless" environment, DevSecOps engineers walked through the detection process, timeline, vulnerability analysis and remediation. Failure was viewed as a powerful educational experience. 

"Security is not a tech problem; it's a knowledge problem," Nick Galbreath, Etsy's former director of engineering, told a DevOpsDays audience in Austin, Texas in 2012, when he led many of the DevSecOps efforts at the company. "Once people can see stuff, it's real," he maintained.

Galbreath has since moved on, with two former colleagues, to found Signal Sciences, a web application security firm. The startup aims to provide a next-generation web application firewall that supports DevSecOps initiatives in organizations using cloud, physical and containerized infrastructure.

While many companies ponder the cultural shifts around DevSecOps, retailers and banks are facing a seismic shift of their own. As chip and signature technology (finally) emerges in the United States, it's worth noting that two retailers that suffered colossal breaches are among the proponents of chip and PIN cards, a global standard that adds an extra four digits of security. Target now requires a PIN on its store-brand chip cards. Home Depot is also behind chip and PIN card technology. Wal-Mart wants it, too, which may mean that PIN is a done deal. Technology journalist Steve Zurier examines both sides of the argument as the lawyers are called in by Wal-Mart and other retail giants.

Home Depot and Target both faced class-action lawsuits after reported negligence in their handling of security -- namely customer data. Lawsuits after a breach are still relatively rare. Unfortunately for Home Depot and Target, lawyers generally make multiple filings against a big-name defendant rather than pursue smaller companies that have failed to protect sensitive information. Long-time contributor Adam Rice, the CISO at defense contractor Cubic, and Lisa Borsotti, in-house senior counsel and privacy officer, join forces to examine the intersection of interdisciplinary responsibilities. "As laws have emerged to protect against the proliferation of cybercrime, the digital medium itself has become a risk to a business," the authors write. They unravel the tensions in CISO-counsel relationships and maintain that early collaboration can help companies navigate the labyrinth of data protection laws before the lawyers come calling.

About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter: @RichardsKath.

Article 4 of 6

Next Steps

Why one security expert decided to join the DevOps movement

Make security a key part of each step in your DevOps process

Podcast: Puncturing the myths around DevOps

This was last published in August 2016

Dig Deeper on Web application and API security best practices

Get More Information Security

Access to all of our back issues View All