How do you build an organization so that security is the default, not the afterthought?
The rise of attacks demonstrates an ever increasing need to protect ourselves, because critical, interconnected systems are controlled by software. Security must "shift left" and be embedded into the software supply chain from the start.
As Aubrey Stearn says, "How do you become blue by default?"
Aubrey Stearn (@auberryberry), is a DevSecOps practitioner, guru, and frequent conference presenter. She is also a contributor to the recently published book Epic Failures in DevSecOps, edited by Sonatype's Mark Miller.
Aubrey points out that she "doesn't work in security, but is part of security."
Her session, Blue By Default - Extract The Value From Security Investment, begins by observing that the cadence of DevOps is well established. Yet, security moves much faster and is influenced by external factors. We can’t do anything to slow security down, so we have to be prepared by having it embedded into everything we do. But, how do we get there?
It requires a cultural transformation based on trust. Development needs to know that security wants to work with them, not against them. Security needs to know that development is building security into everything they do, working with a security mindset. Operations must trust development to follow the policies and procedures to protect the applications.
Often trust is compromised because good intentions are followed by bad execution. As Aubrey states, "If you make my life hard, I will cut corners and do stupid *&!*@!"
As a real life example, she told a story of having to use two laptops at one company. She couldn't do the work she wanted on the company laptop due to a company policy prohibited cutting and pasting into the email app and Microsoft Teams. So she finally sent the email from her personal account to her coworkers, but the profanity filter hit it.
You have to find policies and procedures that reduce the friction for compliance to increase compliance. That begins with trust, but includes verification.
Another high-level tip from Aubrey is to deconstruct challenges into smaller, manageable chunks. She often sees this done the wrong way, by not breaking tasks down into small enough chunks. For instance, she suggests building Docker locally to show value immediately. You can then put it into the CI pipeline for another big win, and finally into three distinct environments.
Finally - in the category of high-level principles to be blue by default - is to change the order of security in the software development life cycle. Too many organizations have a life cycle that counts development as the "done" point and then they test and then add-in security.
But, you need to shift that by reordering: Dev→Security→Test→Done. This is the true cycle time and places security in its proper place.
In the end, she wants you to know, "Security is buildable, start today!"
Helpfully, as a starting point, she also walked through numerous attack vectors and how to build security into your system to protect them. She addressed everything from supply chains to endpoints to infrastructure. Her presentation is solution-oriented, practical, and geared towards developers and security practitioners.
Register for the fourth annual All DayDevOps 2019, a day to discuss a variety of "blue by default" strategies impacting security, CI/CD, cloud native infrastructure, cultural transformation, and site reliability engineering.
Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.
Explore All Posts by Katie McCaskeyTags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.