How Automation Can Help to Close the Security Loop
GitLab sponsored this podcast.
The developers create the best software they can and rely on continuous delivery (CD) tools to deliver faster and faster, with code updates taking minutes — as opposed to days compared to the past — to implement. Many of the silos have been removed between the different DevOps teams thanks largely by relying on Git as the code is accessed, shared and updated in real-time among the different stakeholders. But for whatever reason, security processes remain absent from the production pipeline, especially at the beginning stages of development.
A fundamental, yet continued, flaw in DevOps is how security is “completely misunderstood,” Philippe Lafoucrière, distinguished engineer, GitLab, said. “We leave security processes at the very end of the software production process,” Lafoucrière said. “And that leads to different timelines.”
In short, closing the security loop involves implementing security processes at the very beginning of the development process — and only automation can ultimately accomplish that. This was the main theme of this episode of The New Stack Makers podcast, hosted by Alex Williams, founder and editor in chief of The New Stack, during GitLab Commit in Brooklyn, New York last month. On hand to offer their input were Lafoucrière and Shamiq Islam, head of application, blockchain, and infrastructure security, for Coinbase.
The wrong way to attempt to close the security loop is by relying on mostly manual or semi-manual security processes when “a security person has some tools to assist them in their job…but primarily, it’s still a human doing the work,” Islam said. When security is not automated, there remains more “generic dev work that’s going into the production of software,” than there is “relative security resources to make sure it’s secure,” Islam said. “It’s almost like when you wouldn’t paint the house until the house is mostly done,” Islam said. “But what we’re saying is no, this isn’t paint, this is structure, right, and we actually need to bring in the [security] resources early — we can talk about paint later.”
Automating security involves and implementing it at the beginning of the production process ultimately results in “a single loop where we can involve all the stakeholders at the same time,” Lafoucrière said. “And when we merge something, in a project, we want to have all the decisions being taken at that point,” Lafoucrière said. “You always move forward so that if you want to change something, you create a new loop, we involve all the stakeholders again and you can move forward from there,” Lafoucrière said.
This continual collaborative structure with Git as the focal point should also allow the security teams to enter the collaborative process at the same time the developers do. One way to make that happen to invest “in tooling and in libraries that have made it very easy for our dev team to basically automate a way,” Islam said. “And so what we decided was any place where we could, we would build the library, because it would have a higher return and we’d be able to, at a minimum, create a template and drive that template with other teams. ”
In this Edition:
- 2:43: The blockchain perspective on security lifecycle.
- 5:07: The engineering disconnect.
- 12:02: Tools that automate security.
- 15:45: Different approaches to improving your own software development life cycle.
- 18:32: Key themes.
- 22:13: New mechanisms in scanning tools to root out anomalies.