What is DevSecOps? Part Two: Automating Verification and Guardrails
What is DevSecOps? Here’s part two of what I think it is, actual new tools you can use when it comes to verifying/trusting what’s in your apps and putting out guardrails for developers. Plus, some repaving for you 3 R’s OGs.
Check out my write-up for what the other two are, and more details.
Also, here's part one.
Here is the transcript:
As you recall, the first part of DevSecOps is a secure software supply chain, which means all the activities that occur to get your software out the door, but also tracking them, verifying that their third-party dependencies, services libraries use come in there and also the arrows in between there, the transitions.
And this is where, actual new technology comes into play when you're using things like containers and the way that things like Kubernetes package up and configure, and also can restrict the way that the various components of your applications talk with each other and has a huge amount of control over the way things are deployed, that means you're given new abilities to, if you like, enforce the security policy that you want, you can establish guardrails that make it difficult for developers and others to change things to make it outside of policy.
This also means that you can automate renewing, or that is, repaving production because containers are very ephemeral you can benefit from being able to blow everything away in production and build back to a good known state. This is something that people like Wells Fargo who've been doing for some time, because they have a platform that uses containers in place.
The next part of this is how do you get developers to actually use this and keep it up to date? And that's the part that platforms have failed at in the past. And I think it's because infrastructure, people, operations, people have built platforms to spec, to requirements that they have the enterprise architects and other people wanted at some point, but they didn't actively product management and evolve that platform.
So what you want to do is think about security like you do your platform security as a product. You want to incorporate having a product manager, paying attention to developers as your customers and figuring out how to make the right thing, the easy thing for them by building in features and really iterating through how you do stuff and focusing on building that platform that secure rather than enforcing and mandating security that people follow.
So that's a little bit of the second part of what DevSecOps is. If you want to read more, I've got a little blog post on the topic and you can also find the other videos about what it is.
Bye-bye good luck out there.