In this episode of SecCasts Live, our special guests — Justin Collins, Matt Tesauro, Jimmy Mesta, James Wickett, Neil Matatall — discuss building security into an Agile & DevOps development environment.
In the conversation the panelists answer questions on:
What is DevOps and how does it fit with Agile?
Where does the responsibility fall for secops?
Is automation the way out?
What are some concrete examples of automation and secure code development?
It was really fun doing the show and these are some of my favorite moments in the show with rough minute marks on them.
On Agile, Lean and DevOps
We started doing devops agile in the AppSec group over at Pearson…we did 44 assessments in 2014 and we will have done over 200 by the end of 2015.
Matt Tesauro [3:20]
I love Matt’s comments here because these gains are not from adding headcount, but from adopting Agile and Lean. These numbers aren’t showing just a marginal gain — getting a 5X gain is a huge benefit for organizations.
[not just automation]…its getting developers excited about security
Jimmy Mesta [9:30]
You will never have a big enough security team…lets get people involved and interested and the first thought is to add them to the security team. But the better approach is to have them represent security in the organization wherever they are. That is how you are able to scale rather than hiring Application Security Engineers.
Justin Collins [11:25]
Both Jimmy and Justin nail the points on culture. In fact, I think this is not something that is company specific, this is industry wide. There are simply not enough people currently in security to fill the open positions.
We also have to shift our attitude.
Correct code is secure code and correct code is what we are all striving for.
Neil Matatall [13:00]
There is often a chasm where security and development should meet. And I really like how Neil phrased this because it is inclusive language that helps knit development and security together around a common goal. Personally, I have never met a developer who wanted to write insecure code. Instead of making it an us vs. them argument, we need to build bridges across cultures. Adopting this team mentality to software development is truly a cultural shift and will be more significant to our organizations than any amount of happy hours and ping pong tables ever could be.
Matt Tesauro shared his experience of leaving Rackspace.
[the development team] was sad to see me go
And he comments that its a brave new world where developers are sad to see a security guy leave. This is proof of the cultural shift that is happening in our industry.
In our current world of Continuous Integration and Continuous Delivery there are numerous points to integrate security tooling. We don’t have to break the build, but we can add tooling at lots of different layers.
Neil Matatall shared his experience at Twitter and building the security team there. In that case they actively decided to not break the build but do integrating testing throughout the pipeline.
Developers don’t like seeing red things
Jimmy Mesta [19:50]
Dropping in security tooling in your build and development pipeline is the best place to integrate because it speaks the language of the engineering team. Security should put tooling in place to make things green or red in the system that everyone is already using.