The DevSecOps Skillsets Required for Cloud Deployments
How does an organization ensure that its DevOps team has the necessary skillsets to see a project through?
In this latest episode of The New Stack Makers podcast Ashley Ward, technical director, office of the CTO, Palo Alto Networks, discusses the DevSecOps skillsets needed for cloud deployments. TNS founder and publisher Alex Williams hosted this podcast.
In its “2021 Ransomware Threat Report,” Palo Alto Networks’ research arm Unit 42 noted when organizations make the shift to cloud environments they’re often short on the requisite skillsets. “What I see people doing is they’re reaching out — they’re usually speaking to partners, they’re speaking to people to get information about what other companies are doing and how people are coping with the skills gap,” Ward said.
Where to start? “Whatever organization it is, you look at things that are going to give — not necessarily a quick win — but continuous improvement,” Ward said. “So, if it was me, because my background is in containers and container security, I would say start with container images — it’s an easy thing that we can pick off the shelf, and we can start immediately showing benefits and we can start immediately showing the consumers of the images that things are improving.”
Typically, when a Docker file is used to create the container images, layers making up the images can be reused or built on top of existing layers that are shared. However, with this facility comes caveats. “You can borrow other people’s layers and you can build on top of them and all those great things so this makes it really really fast to develop. Unfortunately, it does mean that you are borrowing things… and you don’t necessarily know what’s inside those layers,” Ward said.
This is why security scanning images is so important. It serves to reveal the container’s configurations, to determine what exactly is being run in each container, its potential vulnerabilities and dependencies — including open source dependencies, relevant licensing agreements, and other important information about the container. “It sounds like a lot, and it is… because it’s this one thing that we’re pulling in, we can break it out into all these bits and we can put it into a best practice,” Ward said.