Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News DevSecOps Grows Up and Finds Itself a Community

DevSecOps Grows Up and Finds Itself a Community

On June 28th, the first DevSecOps Days event came to London following a similar event in San Francisco in April. It kicked off with a welcome address from event founders, John Willis and Mark Miller, who explained that the intention is to replicate the DevOpsDays model and empower communities worldwide to stand up their own events.

The first talk came from Chris Roberts, chief of adversarial research and engineering at LARES Consulting who asked if we can beat the attackers and answered that, although many vendors say yes, the evidence tells us we can't. His advice is to integrate the human-side more and make security a conversation that happens with the human resources and legal teams and "get eyes inside your world." Roberts explained that in the digitised world, organisations no longer have perimeters and so have an urgent need to get back to basics and remove the easy ways in. He expressed astonishment that after twenty-six years we continue to have conversations about passwords.

Following Roberts' talk, the audience heard briefly from each of the event sponsors: Electric Cloud, Sonatype, WhiteSource and Gitlab.

John Willis then took the stage to tell the audience about the workshop he had facilitated the previous day following the DevOps Enterprise Summit, where using a toolkit comprised of GitHub, Jenkins, Electric Cloud and Sonatype the participants had set out looking for a Struts vulnerability in Tomcat (he emphasised that a large amount of organisations are still running this particular Struts vulnerability today).

John Willis: Friends don't let friends run default Jenkins. It was scary to see the kill chain - we saw an attack yesterday where an attacker brought up an AWS super user. Sonatype was flagging the problem up to development in the IDE before it hits CI.

Next up was Nike's Courtney Kissler who advised not to prescribe methodology but to pick the right leader and through transparency build credibility and trust. She explained how she found using data to drive decisions and actions helped with refocusing emotion and that it's important to challenge status quo and be persistent. Encountering a lot of skeptics, Kissler found that vocabulary is important and that she needed to start small and scale.

Courtney Kissler: We had to do a lot of verbal tweaks, like saying 'fast learning'; and not 'failure'; 'resilience', not 'chaos'. We learned not to care about the words but instead cared about the business outcomes. We made work visible; we discovered we had a lot of work going on that people didn't realise what was going on. And that people didn't realise what their cycle time was; they thought it was ten days and it turned out it was eighty-four.

Kissler cited strategic alignment with business as a huge accelerator and identified engineering capacity as the number one constraint. She described how they 'flipped the bit'; in that the teams had been focused on features first, but instead, they made them start with security and compliance. The result was no hot fixes in two hundred and fifty days. Kissler advised to: 'Honour and extract reality.'

Mark Miller then led an informal panel session with Chris Roberts and John Willis where they discussed the impact of the industry as a whole making 87 billion download requests of open source software per annum, and this number is only set to increase as more enterprises are adopting open source and implementing explicit 'open source first' strategies. Miller showed that 11.1% of Java component downloads have known vulnerabilities and an audience member proposed an analogy for the concept of stability: 'Are you playing Jenga or riding a bike?'; Chris Roberts gave a plea to everyone to: 'Slow down. Slow down and communicate'; as the rate of downloads of known vulnerabilities is doubling and over twice as many breaches are being reported year on year.

Next up was Mandi Walls, technical community manager for EMEA at Chef, who talked about the critical importance of organisations viewing themselves as technology companies, citing Alaska Air's efforts in this space to be a 'technology company with wings' as laudable in this space. Walls alerted the audience to the recent Honda WannaCry story and then demonstrated how the Chef Inspec technology helps identify and remediate security issues such as this.

Walls was followed by Aubrey Stearn, DevOps leader and coach formerly of Arcadia, Travelodge and Pizza Hut. Stearn asserted that DevOps cadence is well established and that development tends to move much faster than IT operations and, in particular, the security teams. She explained how important it is to consider attack vectors in the context of a software supply chain starting with your own machine, moving through the artifact repository and public container registry to the endpoint. Stearn emphasised that developers must perform security tests, with their first opportunity occurring at pre-push. She urged the audience to use tools such as Detectify.

One of Stearn's most popular slides on social media following the talk was the statement: 'If you make my life hard I will cut corners and do stupid stuff!'; Strearn stated that organisations cannot do transformation without trust and that DevOps will not magically fix problems. She talked about 'Scrum-but'; and suggested that teams could stop doing scrum badly and start doing Kanban instead. Where teams are sending artifacts to test and security after dev done, she described how the development team receives five artifacts in return - she called this 'the magic multiplying machine'. In conclusion, Stearn stated that development owns test and if organisations are not testing in development they are using credit (and creating technical debt).

The next couple of hours were taken up with open spaces, in DevOpsDays tradition, introducing much of the audience to the concept. The open spaces were broadly split into two camps: those centred around cultural and organisational challenges and solutions, and those primarily concerned with the technical angles of DevSecOps.

The final keynote speaker of the day was Mark Schwartz, enterprise strategist at AWS, who shared some experiences from his previous role as CIO at US Citizenship and Immigration services. He brought in an ex-NSA employee as a penetration tester who found some flaws in the digitised visa system his teams were working on. They also had some auditors perform some successful social engineering attacks which helped them to learn where to prioritise tightening of security policies and procedures - in particular around peoples' password habits. Schwartz said: 'Make it easy to do the right thing and hard to do the wrong thing' (reflecting on Stearn's previous comment); they fixed the password problem using TFA and SSO and a pass to get in the building and use computers along with a PIN - thus, he said, automation fixes the process problem.

Like Kissler, Schwartz also touched on cultural change, explaining how traditionally the business wants IT to work on functional things and they aren't interested in them working on security things. He highlighted this as an oddity given that a key customer requirement is not to have their data compromised. Schwartz emphasised the need to create a culture where we are concerned about security on behalf of our customers and shareholders and referenced the Rugged Software manifesto as a tool to help imprint the behaviour of building software with potential attacks in mind. He concluded that a lot of security fixes are free and don't require investment being rather more simply about how you do your work, for example, don't leave keys in source control.

DevSecOpsDays London was organised by Mark Cluet. The next DevSecOps Days is taking place in Singapore on July 24.

Rate this Article