This podcast is sponsored by Prisma Cloud from Palo Alto Networks in advance of Building a Scalable Strategy for Cloud Security: A Virtual Event on January 26.
Infrastructure as code is a movement ready to boom. It’s also emerging as one of the three pillars in cloud security that is bringing DevOps and security together in the evolving DevSecOps market, said Varun Badhwar, senior vice president, Prisma Cloud at Palo Alto Networks, in this episode of The New Stack Makers hosted by TNS founder and publisher Alex Williams.
Infrastructure as code is also a major component of the DevOps’ trend to shift left. “Shift left security now means application security, it means software composition analysis and it means infrastructure as code scanning — and all of that now is available for DevOps teams to do in the pipeline,” Badhwar said.
The goal is to have one set of policies for the tools that DevOps teams are using, explained Badhwar who will be a featured speaker at Building a Scalable Strategy for Cloud Security: A Virtual Event discussing Prisma Cloud’s next wave of platform innovation. However, while infrastructure as code should increasingly take hold in the DevSecOps world, challenges remain in order for it to evolve in such a way as to best meet organizations’ security needs.
“In my conversation with hundreds, literally hundreds of customers, I think the security teams are still figuring out how to partner with DevOps teams, and really speak the same language, and share a common toolset across the board,” Badhwar said. “The problem is most of the tools that infosec teams are using are very runtime centric. They’re not really built, purpose-built for this paradigm shift that infrastructure as code has brought it.”
Previously, security in DevOps was largely about deployment, when “we used to live in a world where there were annual or semi-annual release cycles for a lot of software products and applications,” said Badhwar.
“I think clearly there was a business need to be more agile, to move faster and be there at the speed of the business or run the risk of becoming irrelevant, and being run over by companies that had figured out how to move faster. [This is] because a lot of that was about how to take development and deployment practices, and make them more streamlined and iterative — and I think that’s kind of where this world began from,” said Badhwar. “And if you look at it today, it’s moved from being very deployment- and development-centric, to kind of what I call full cycle and full-stack, where security is obviously a big part of it — observability, performance, scalability, quality, are all starting to come together in some form or fashion.”
Open source’s influence on DevSecOps, as well as on infrastructure as code for security, cannot also be ignored. While the software was previously based on a proprietary business model, DevOps teams have since “not only brought smartness and automation, but they have brought in community, sharing and crowdsourcing” for DevOps, Badhwar said. “One of the big things they figured out is why go reinvent the wheel every single time — and now you see that the majority of the code is open source, and very little is proprietary,” he explained. “And so there’s this notion of sharing… Guess what? I go to a Docker hub or somewhere else, and I will usually find different types of containers pre-packaged ready for me to pick up and get going with.”