This post is the second installment of a two-part series on DevSecOps. Read part one here.
“The number one misconception around DevSecOps is that it’s just sprinkling in a security tool,” said Matt Chiodi, chief security officer, public cloud, at Palo Alto Networks. There is no doubt that the right tools are an essential part of getting DevSecOps right, but they are not enough on their own.
So what role do security tools play in improving development velocity, tightening security feedback loops and integrating security into the entire application lifecycle? I spoke with a number of security tool vendors about what is and is not solved by tooling.
According to Hillary Benson, chief product officer at container security company StackRox, organizations need tools to tighten the feedback loop, increase automation and help prioritize which vulnerabilities to fix. “The concept of having a human in the loop every time you need to make a security judgment is just a non-starter these days,” she said. Security tools can be integrated with the CI/CD pipeline, and developers can get immediate feedback when a build has a security problem — and the build can be failed and prevented from progressing in the pipeline until the security problem is fixed, all without input from security.
Prioritization is also an important force multiplier. One of the challenges, as companies move to complex distributed microservice architectures, is that there can be a flood of alerts and potential vulnerabilities. Organizations have a limited number of security professionals and using security tools to prioritize means those professionals can focus on the most important fixes instead of getting bogged down.
“The first thing we do is that we can look at the list of vulnerabilities your scanners produce and reduce it by 50% to 80%,” explained Liran Tancman, CEO of cloud native security company Rezilion. “I think 70% of vulnerabilities are never loaded to memory or are not exploitable, so we reduce the number of vulnerabilities that developers have to fix.”
“The concept of having a human in the loop every time you need to make a security judgement is just a non-starter these days,” — Hillary Benson
There’s a third type of tool that’s not specific to security but is nonetheless crucial to success with DevSecOps: communication and collaboration tools. A major component of success with DevSecOps is better knowledge sharing between developers, security and operations. Tools that make that knowledge sharing possible, like Slack or Zoom, are critical to success with DevSecOps — though they are there to facilitate the underlying cultural changes DevSecOps requires.
“A tool will not cause two groups who’ve never spoken to each other to speak to each other and collaborate,” explained Rani Osnat, vice president of strategy and product marketing at cloud native application security company Aqua Security. “It won’t make organizational magic happen.”
It’s the organizational magic that’s often the trickiest for security professionals to get right. “When I was at Cisco, vendors would come in and ask ‘If I could solve an issue for you, what would it be?” remembered Rick McElroy, head of security strategy at Carbon Black. “I said, if you can solve these two issues, I’ll pay you all my money. It was paperwork and politics. Those are the two things that are always inhibitors for the security program and there’s no technical medicine for that.”
“There was a time when if there was a memory leak or something that might impact performance, we just wouldn’t let it out,” explained Tancman, of Rezilion. “One of the things that happened with DevOps is we are willing to live in an imperfect world so that we can push code faster. Security is still too often trying to get to a perfect situation instead of figuring out how we live in an imperfect world.”
Tools can either feel like handcuffs or freedom, depending on both on the tool itself and on the organizational culture, it is part of. One hope security professionals have is that DevSecOps can help shift the perceptions of security’s role — to become more of a partner than a policeman. Ideally, the right tools can help build in the guardrails, feedback loops and redundancy so that the organization is protected even if developers don’t get things perfect.
#devops #security #feature