How DevSecOps meetups can help to uplift the technology industry
March 15, 2018
Last week, myself and the Versent security team attended the inaugural Sydney DevSecOps meetup. I was excited to see 70+ people in attendance, from a range of industries and a breadth of roles: from the more obvious DevOps engineers to audit and compliance officers.
The very fact that these DevSecOps meetups are increasingly being organised in different parts of the country shows the greater acknowledgement and acceptance that DevSecOps is the preferred approach for IT security in an agile environment, but also that for all businesses – irrespective of DevSecOps maturity levels – will always have an ongoing journey to refine and improve their processes.
Scott Coulton from Puppet presented his talk “If it’s in a container it’s secure, right?” and spoke about how to utilise container security tools, and to challenge using the traditional infosec toolchain in a devops/container environment. He spoke about his experience in using container specific tools such as Clair to sign container images and scan for vulnerabilities, and the main security risks to containers. It was an engaging talk and gave us some ideas to try moving forward in our container development activities.
At Versent we are taking this journey with our customers. Having recently started at Versent, it’s refreshing to see the approach and education that we provide to our customer when it comes to DevSecOps.
As industry demands a higher pace of change, we need to encourage increased speed to delivery through our pipeline. This includes baseline controls such as static code analysis (deployment of sonarqube), automated security policy configurations and automated policy audits of network configurations (cfn-nag and cloudcustodian/stax). As echoed through the DevSecOps meetup, industry leaders such as Puppet are championing change by embedding preventative controls such as mandatory access controls into the containers, in Scott’s case it is App Armour, at some of our customers it is SELinux.
In the context of risk, your developers are now your first level of defence. Your internal auditors form up part of your second level of defence. In implying and designating greater ownership and accountability of the code, developers must be equipped with the right tools and assets. One such tool we have equipped our developers is with BLESS (Bastion Host Lambda Ephemeral SSH Service). This ensures privileged access is time-constrained and temporary.
IT security isn’t a place for traditional commercial rivalry, and there is much we can learn from sharing tips, tools and war stories with each other, and I would encourage anyone considering transitioning to a DevSecOps model or those who are already on the journey to attend meetups, collaborate online and engage with the wider security and development community in these matters. I’d also encourage you to get out there and share your knowledge and experiences with others, so we can collectively uplift DevSecOps practices for the good of the industry.
Sarah Young is a security architect in Versent’s security practice and works with customers to design secure cloud solutions and uplift the security posture of IT environments and processes. She is an advocate of encouraging more women to take up roles in IT, and spends her free time working her way through her “hit list” of hipster brunch establishments.