The session I’ve been waiting for all week at RSA – Chris Wysopal and Tim Jarrett of CA Veracode gave an informative talk about the need for security to adapt to the developer-led world and the opportunity DevOps presents for security to become part of the team.
Chris likened cyberthreats to Cholera, the disease is always there, but only when you have poor sanitation do you get sick or have an outbreak. And with the majority of applications failing security hygiene, it is inherently risky to build software. Sixty-three percent of applications fail OWASP Top 10 compliance when they are first tested for security. And the majority of apps are never tested at all! That implies that at least 63 percent of applications released that do not undergo security testing are insecure.
This has been true for years. So, why can DevOps change this? Well, some think DevOps could actually mean putting vulnerabilities into software faster and more often. But those of us who are more optimistic see it as a chance for security to become part of the development process. Where Development and Operations have come together to reach a common goal, they created a system that encourages teamwork and collaboration. Security can become part of that team, rather than sit outside it. And then, DevOps can become DevSecOps.
Tim went on to explain the principles for securing DevOps. Tim has outlined these principles before, so I won’t go into too much detail now. But I will touch on one area that was slightly new – the concept of building security champions. We all know that there just aren’t enough security professionals. What DevOps allows us to do is to create champions within the Dev and Ops teams that understand security and can become champions for it.
So as Tim said – rocking DevOps doesn’t have to be hard – it can be an opportunity for better security.
Stay tuned for more from RSA …