On Monday, the RSA Conference featured a full-day DevOps Connect Seminar. In order to attend some of the other sessions, I had to pop in and out of the seminar, so I wasn’t able to see the entire agenda. However, the portions I was able to attend seemed a little like déjà vu, as I imagine they would for anyone from Veracode.
One of the main topics in the opening remarks was that DevOps and security are really fighting the same battle. Josh Corman, one of the pioneers of the Rugged DevOps movement, pointed out that these teams should be working together, rather than behaving as adversaries. Yet, many developers and those in development management feel as if their security teams have let them down.
This theme is at the heart of Veracode’s message of “Make Code not War.” For too long, DevOps and security practitioners have acted as if they have opposing interests. But this is not the case; DevOps’ goal is to create processes that produce high-quality software within a pre-set release cycle, while security’s only goal is to ensure this software does not contain any known vulnerabilities.
As some of the presentations pointed out during the seminar, the challenges these two teams face are also the same. Software is no longer built but is actually assembled from components. Josh quoted a stat that 80 percent to 90 percent of a program is from components.
One of the presenters during the seminar suggested that one way to get DevOps to consider security a priority is to talk about security as a quality issue instead of a vulnerability issue. When development teams look at security this way, they are less likely to balk at security protocols in the SDLC.
What I was able to see of the seminar reinforced the idea that DevOps and security need to unite to defeat vulnerabilities and insecure software. Neither of these groups is the enemy; the cybercriminals are, and if these teams can actually work together, they will be more successful. As one presenter explained, there is a gulf growing between the “haves” and “have-nots” in terms of innovation. The gulf creates a self-perpetuating cycle of success, which means more innovation. The companies that are able to find a way to balance innovation and security will be at a distinct competitive advantage over those that do not.
In a completely unplanned coincidence, Veracode will be discussing the need for DevOps and security to become allies throughout the week and beyond. If you’d like to discuss this topic further, you can do so at our RSAC expo booth N3209.