DevOps / Security / Software Development

The New Stack Context: Who Owns Security in the DevOps Process?

20 Mar 2020 5:00pm, by

Welcome to The New Stack Context, a podcast where we discuss the latest news and perspectives in the world of cloud native computing. For this week’s episode, we spoke with Liran Tal, a developer advocate at container security platform provider Snyk and a member of the Node.js security working group, about who should own security in the DevOps process — the security team or the development?

TNS editorial and marketing director Libby Clark hosted this episode, alongside founder and TNS publisher Alex Williams and TNS managing editor Joab Jackson.

Episode 109 : DevOps – Who Should Own Security ?

Listen to all TNS podcasts on Simplecast.

Tal wrote an article for us recently, “‘DevSecOps Insights 2020’: Who Really Owns Security in DevOps,”which summarized the results of a survey the company carried out covering security, development and operations.  The post included a couple of surprising survey results, namely that only 14% of respondents reported that they test for known vulnerabilities in container images, and 38% of respondents don’t integrate automated security scanning into their DevOps pipeline.

As Tal writes in the post:

When that many respondents agree security is a major concern when trying to deliver software quickly, it means we need to scale up security to enable fast delivery of security fixes. The key to doing that is developers, as they ultimately fix security issues in an application’s source code.

We also get Tal’s views on incorporating security into Continuous Integration/Continuous Delivery (CI/CD), the need for development speed, as well as his thoughts on the recent purchase of npm by GitHub.

Then, later in the show, we discuss some of the top podcasts and news stories from the site. An episode of The New Stack Analysts podcast provides fodder for discussing service mesh adoption. Also on the agenda: Frustrations mount over Python 3 migrations; Project Calico offers a faster data plane with the help of eBPF; and an excellent side-by-side comparison offered by StackRox’s Karen Bruner of the managed Kubernetes offerings from Amazon Web Services, Microsoft Azure and Google Cloud.

Snyk is a sponsor of The New Stack.