The Great Security Shift to the Left
Twistlock sponsored this podcast.
An organization may have made the great leap of integrating previously siloed teams in its software development and deployment processes by adopting DevOps practices. And for some security teams, while that scenario may even be the case, security code integration and processes is similar to a tennis match: the developers add the code, which is then volleyed over to the security team before sending the now-securitized code back to the developers who then send it back to security again for a final check. Or worse still, the security team does give its input until just before deployment, creating potential bottlenecks when getting the security right takes longer than expected. (And even worse still, of course, apps are shipped with glaring security holes and are only patched after a major breach).
Call it an example of DevOps growing pains if you will, but the need very often exists for security to “shift left” in continuous integration/continuous delivery (CI/CD) processes, Sonya Koptyev, director of evangelism at Twistlock, said in this episode of The New Stack Makers podcast hosted by Alex Williams, founder and editor-in-chief of The New Stack.
The topic of improving the integration of security in the build-and-deploy processes was also expected to be a major theme of the RSA conference held this week. “I am super-excited for this conference. I’ve heard a lot about it and I’ve heard folks talking about it in the industry during my previous roles throughout my career — so, I am excited about having a front seat, and even more so than a front seat, I would say,” Koptyev said. “I think some of the trends that I’m hoping that we see in some of the content and discussion topics that are floating around as these folks mingle in all the different ways is really, the shift, I would say, from having security [in general], cloud native security and just application security topics really start to shift left, and I think, we’ve been talking about this for a little while now — at least a year and a half.”
Some of the workflow processes that are emerging as a more “all-hands-on-deck approach” in DevOps for security is taken, directly involves, of course, CI/CD integration, Koptyev said. “As folks build out their pipelines to include automation from the start into the actual app-development lifecycle, it’s all about how you have security integrated into these pipelines as well. So, not only to build and push into production, but also how do you make sure you have proper security thresholds set in that deployment process so that you do not allow the app out of development and you do not deploy it unless it passes certain security thresholds — this is a particularly important workflow,” Koptyev said. “And to make sure that at runtime, you have all the right thresholds and alert sets and all of the blacklisting of potential malicious processes set, while defining those right off the bat and automating them into the build process.”
Previously, in the enterprise space, “you [often] had folks coming from a very much waterfall approach to life,” Koptyev said. “So, they build the app and then they hand it off to security they tell them what to fix and off it ships into production,” Koptyev said. “But now, with this always-on continuous build and deployment, availability of the app and constant updates happening; you have a workflow in a process that really needs to get updated as well,” Koptyev said. “Just as we have updated our build, continuous deployment, availability of the app and constant updates. So, just as tooling is updated to automate build processes, we [as an industry] need to update how we think about also integrating security into that flow.”
In this Edition:
1:30: What are some of the things you expect to see at RSA, and what are the particular trends that you’re starting to get a sense of?
9:04: The overall complexity of container and cloud-native security.
10:17: Discussing runC and what Koptyev and Twistlock found in their research.
14:40: Exploiting vulnerabilities by running malicious images and symbolic links within your container.
16:05: What are some of the namespace mistakes that you see made?
20:20: When you think about networking security in a container context, what’s that Twistlock point of view?
Feature image via Pixabay.