Josh Corman gave another engaging and informative talk at RSA about DevOps and how it is changing the way we think about security. As he says, DevOps is here, and is the future of development. Companies that don’t start shifting this way won’t be able to keep up in terms of innovation. But he also points out the need for governance, using the analogy of an earthquake.
The earthquake in Haiti did untold damage and resulted in the loss of 230,000 lives. Weeks later, an even more powerful earthquake struck Chile, but the death toll was thankfully much lower – only 279 people. Why? Because Chili had modern building codes that Haiti lacked. Chili took into account the possibility of a large earthquake and planned for disaster. Haiti was unable to do the same due to a variety of economic reasons.
DevOps is the reality the security community needs to plan for. Josh was echoing Veracode’s sentiments that the future of security is DevSecOps, though he did not use those words. He pointed out that security professionals need to stop talking about security problems and start talking about development problems; have empathy for what developers are going through. For example, when a vulnerability like Heartbleed is disclosed, the security team thinks of the risk. But the development team looks at it as unplanned work, while the ops team thinks of it as downtime for the product. If security teams only focus on the risk message, they won’t be able to get developers beyond the idea that this is unplanned work.
Corman used the example of the Ohio River catching fire due to all the pollution. Only once it went up in flames several times, destroying property and infrastructure, did we create environmental protections. During his talk, Corman discussed the need for our “River on Fire” moment to create new protocols. But I think we’ve already had it. Vulnerabilities in prevalent components like Apache Commons Collections are proliferating risk at an alarming rate. When talking to developers, if we position the need for application hygiene as a function of quality, we will make great strides in improving code security.
Stay tuned for more from RSA …