DevSecOps: Are we reducing silos now?
DevOps, as movement and set of principles, did a great job making Operations and development the same integrated thing pretty much. However, industry-wide implementations are not quite there. There is an overlap with SRE(Site Reliability Engineering), and quickly you find DevOps Engineerings, DevOps Architects, DevOps Directors, DevOps Managers. There are plenty of DevOps departments out there. The same noise happened with Agile, where the company structures do not change, and silos still exist. Now we are about to extend the reach of DevOps to Security. Belive me of not the naming does not bother me much. There is a DevSecOps manifesto.
Leaning in over Always Saying "No"
Data & Security Science over Fear, Uncertainty, and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
DevSecOps make sense; There are lots of exciting and sensible principles there. We need to work closely with security and improve things; however, I want to point out other aspects and challenges here.
The issues we need to consider are:
- Principles do not matter effect.
- What happens with the pre-requisites?
- What happens for low-regulated industries and companies?
- Is DevSecOps really about security?
- Are we reducing silos and making organizational changes now?
So Let's get started and go aspect by aspect, down to the rabbit hole. Sorry to disappoint you if you thought this would be a security-related post.
1. Principles do not matter effect
Pop Quiz! What Agile, Lean, SOA, Microservices, DevOps have in common?
A) All Buzzwords people dont understand but say they do it.
B) You say you want to do it, but you do not know what it means.
C) Last +10 years of hype-cycles?
D) All the above
Albert Einstein once said, "I don't need to know how to answer the sum of two numbers, but how the sum principle works." That's the issue. We have this action about tools and processes, and we forget the principles. We applied some principles as before as still call our selves agile, lean, DevOps, Microservice, DevOps, and now we have DevSecOps to add.
2. What happens with the pre-requisites?
Another question. Can we implement DecSecOps ops without implementation DevOps properly? Can we implement DevOps properly without implementing Agile properly? Can we implement DevOps properly without Microservices? Can we deploy Microservices properly before knowing SOA? One movement is evolution and input into the next move, sure. But is all about evolution? Are we missing something big here?
Do we have any pre-requisite to doing DevSecOps? I always see DevSecOps material related to CI/CD and Microservices. Can we reduce the attacker blast radius with a monolith application and globally shared database across all the monoliths?
3. What's happens for low-regulated industries and companies?
So IMHO, DevSecOps is not only about high-regulated industries that need to deal with PII data like ensure-tech, fin-tech, banks, and such. Like Vogels said once recently, "Everybody needs to be a security expert now." IF you have a digital product you need to worry about security, Data Breaches are more popular than ever, and deftly could kill your brand and user experience. Unfortunately, what happens is that security is often the last thing that people care about it. There was a time that Tests was the last thing to be done in a project, now is security.
4. Is DevSecOps really about security?
Yes, but not limited. It's also about proper architecture, cloud engineering, DevOps, Agile, and several other things. Might you say I dont need to worry about anything I can focus just on security? So how do we?
- Deploy security patches to all machines, services without downtimes?
- How we Update configurations at runtime without downtime at the massive number of microservices?
- How do we reduce the attacker and reliability Blast radius? Are they opposite after all?
- How do we rotate Kubernetes Cluster Keys? Can we turn that keys? Are we using HTTPS? How do we know all this?
- How do we validate best practices at scale? Do we need to change the Build process, or we do all manually?
Quickly all these questions should require infrastructure, automation, and architecture around lots of non-security related topics like CI/CD, Automation, Observability, Better Deploy Pipelines, Dynamic Configuration Systems, Discovery, Automated Remediations and much more.
5. Are we reducing silos and making organizational changes now?
So this is the big question right. Are we going to continue to do the same security anti-patterns like store passwords in github? Store credentials in the EC2 machines instead of a Secrets Manager like Vault? Do JDBC SQL code without Proper Binding and allow SQL-Injection? After all and declare victory and say we are doing "DevSecOps." The whole industry needs to LEARN and need to change. Both things are hard, but at some point, things need to change.
Cheers,
Diego Pacheco