Twistlock sponsored this podcast.
Those working in the developer and DevOps space have invariably heard of DevSecOps and, at the very least, know how it plays a critical role in the software delivery pipeline.
But every organization is different and the tools and mechanisms for software delivery very accordingly. And once you throw into the mix the hundreds of different CI/CD tools available today, as well as the challenges associated with more-modern platforms, such as container and microservices deployments, the challenges of security and DevSecOps become that much more daunting — and in many cases, confusing.
“A lot of people don’t really know what [DevSecOps] entails. Not so much that they don’t understand the concept — they get DevOps and they know how to implement it — but I think folks are still a little skittish about DevSecOps and how to implement it,” Sonya Koptyev, director of product marketing and evangelism for Twistlock, said.
In this episode of The New Stack Makers podcast, hosted by TNS editorial director Libby Clark, Koptyev discussed what developers and DevOps need to know about DevSecOps. Koptyev also discussed what attendees can learn by attending a Twistlock-organized event called Cloud Native Security Day at the upcoming KubeCon + CloudNativeCon Europe 2019, where attendees can learn during an entire day in a very hands-on way about how to implement DevSecOps.
The goal at Cloud Native Security Day is to “give folks really hands-on, real-world, examples, scenarios and implementation details of how to make DevSecOps real in their environment,” Koptyev said. “We are going to discuss how developers and DevOps teams can make security a priority throughout their software delivery pipeline.”
If one variable remains constant across developer and DevOps teams at different organizations, it is that the automation structure and tools they use will vary.
“We didn’t want to assume folks are in a particular lifecycle or pipeline setup. If we step back, to [what is the delivery pipeline], it can be anything. It can be anything that folks have integrated into an automated application development deployment and delivery pipeline,” Koptyev said. “With so many plug-and-play options today into that pipeline, it is hard to define it as one particular thing, because all along that pipeline, you have so many different options.”
Automation, of course, is critical, for DevSecOps, as well as for DevOps in general. “I’ve seen companies trying to do it manually, but I think if you are just starting out, and this is your alpha version you’re building, then perhaps doing everything manually will work — but once you have more than five developers on something and once you’ve got a process going and multiple pieces and components layered on top of it, then I don’t think you can get away from automation — you can’t scale any other way,” Koptyev said. “[For DevSecOps], it becomes so. It is crucial in the DevOps and Dev world, really, but when you layer on top of that, security becomes even more so important.”
The recent Docker Hub attack serves as a very sober and important reminder of just how critical DevSecOps and processes are. “Sometimes it’s an oversight when folks say ‘okay, it’s on Docker Hub so it’s safe to use,’ and that’s another one of those assumptions people make mistakenly — you absolutely need to know what is in your images,” Koptyev said.
At the end of the day, DevSecOps is largely about “what thresholds you have set before folks are ready to deploy,” Koptyev said. “For example, what are the common rules you have set so that your developers and security teams can say ‘if you’re app doesn’t pass these thresholds, then we are going to send it back. You are not going to be able to deploy,’” Koptyev said. ”And how well are you going to — if you are doing CI/CD — be able to integrate that into the automated pipeline and make sure those safe structures and guard rails are in place for your team. Because we are in a world of CI/CD, which is fantastic, but this just means there needs to be a greater emphasis on making sure things are deployed are safe and secure.”
In this Edition:
1:32: What is it about securing the software delivery pipeline that made you want to plan a whole day of discussions around it?
2:51: What are the different stages of the software delivery life cycle?
8:23: So for your event, are you focusing on workflows as well, or are you kind of doing technical deep dives on how to secure these things, or is it a mixture of both?
10:36: Are you seeing in these kinds of use cases, how they’re adjusting their teams to account for security in cloud-native workloads or cloud-native applications?
14:23: Is that push to speed kind of creating new issues as well?
15:45: What are sort of the primary considerations about how people should be thinking about DevSecOps?
KubeCon + CloudNativeCon is a sponsor of The New Stack.
Feature image via Pixabay.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, Real.