DevSecOps: Are we reducing silos now?

DevOps, as movement and set of principles, did a great job making Operations and development the same integrated thing pretty much. However, industry-wide implementations are not quite there. There is an overlap with SRE(Site Reliability Engineering), and quickly you find DevOps Engineerings, DevOps Architects, DevOps Directors, DevOps Managers. There are plenty of DevOps departments out there. The same noise happened with Agile, where the company structures do not change, and silos still exist. Now we are about to extend the reach of DevOps to Security. Belive me of not the naming does not bother me much. There is a DevSecOps manifesto.

DevSecOps Manifesto

Leaning in over Always Saying "No"
Data & Security Science over Fear, Uncertainty, and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists


DevSecOps make sense; There are lots of exciting and sensible principles there. We need to work closely with security and improve things; however, I want to point out other aspects and challenges here. 

The issues we need to consider are:
  1. Principles do not matter effect.
  2. What happens with the pre-requisites? 
  3. What happens for low-regulated industries and companies? 
  4. Is DevSecOps really about security? 
  5. Are we reducing silos and making organizational changes now?

So Let's get started and go aspect by aspect, down to the rabbit hole. Sorry to disappoint you if you thought this would be a security-related post.

1. Principles do not matter effect

Pop Quiz! What Agile, Lean, SOA, Microservices, DevOps have in common? 

A) All Buzzwords people dont understand but say they do it.
B) You say you want to do it, but you do not know what it means.
C) Last +10 years of hype-cycles? 
D) All the above

Albert Einstein once said, "I don't need to know how to answer the sum of two numbers, but how the sum principle works." That's the issue. We have this action about tools and processes, and we forget the principles. We applied some principles as before as still call our selves agile, lean, DevOps, Microservice, DevOps, and now we have DevSecOps to add.

2. What happens with the pre-requisites? 

Another question. Can we implement DecSecOps ops without implementation DevOps properly? Can we implement DevOps properly without implementing Agile properly? Can we implement DevOps properly without Microservices? Can we deploy Microservices properly before knowing SOA? One movement is evolution and input into the next move, sure. But is all about evolution? Are we missing something big here? 

Do we have any pre-requisite to doing DevSecOps? I always see DevSecOps material related to CI/CD and Microservices. Can we reduce the attacker blast radius with a monolith application and globally shared database across all the monoliths? 

3. What's happens for low-regulated industries and companies? 

So IMHO, DevSecOps is not only about high-regulated industries that need to deal with PII data like ensure-tech, fin-tech, banks, and such. Like Vogels said once recently, "Everybody needs to be a security expert now." IF you have a digital product you need to worry about security, Data Breaches are more popular than ever, and deftly could kill your brand and user experience. Unfortunately, what happens is that security is often the last thing that people care about it. There was a time that Tests was the last thing to be done in a project, now is security. 

4. Is DevSecOps really about security? 

Yes, but not limited. It's also about proper architecture, cloud engineering, DevOps, Agile, and several other things. Might you say I dont need to worry about anything I can focus just on security? So how do we?

  1. Deploy security patches to all machines, services without downtimes?
  2. How we Update configurations at runtime without downtime at the massive number of microservices? 
  3. How do we reduce the attacker and reliability Blast radius? Are they opposite after all? 
  4. How do we rotate Kubernetes Cluster Keys? Can we turn that keys? Are we using HTTPS? How do we know all this?
  5. How do we validate best practices at scale? Do we need to change the Build process, or we do all manually? 

Quickly all these questions should require infrastructure, automation, and architecture around lots of non-security related topics like CI/CD, Automation, Observability, Better Deploy Pipelines, Dynamic Configuration Systems, Discovery, Automated Remediations and much more.

5. Are we reducing silos and making organizational changes now?

So this is the big question right. Are we going to continue to do the same security anti-patterns like store passwords in github? Store credentials in the EC2 machines instead of a Secrets Manager like Vault? Do JDBC SQL code without Proper Binding and allow SQL-Injection? After all and declare victory and say we are doing "DevSecOps." The whole industry needs to LEARN and need to change. Both things are hard, but at some point, things need to change. 

Cheers,
Diego Pacheco

Popular posts from this blog

Kafka Streams with Java 15

Image
Kafka Streams is a Streaming library similar to Spark and Flink which works with Apache Kafka. Kafka stream can be useful to process historical and near-real-time big data workloads but also for non-realtime analytical computations at scale for the online world as well. Kafka-Streams is elastic, highly scalable, fault-tolerant, and fully integrated with Kafka. You can use Kafka Stream with Java, Scala, Kotlin JVM applications and also have exactly-once processing semantics. Kafka-Streams is being used by the New York Times, Pinterest, Line, Trivago, Zalando, and many other companies. Today I want to share a video of Kafka-Streams running with Kafka 2.6 and Java JDK 15. So Let's get started. 
read more »

Rust and Java Interoperability

Image
Rust does not stop for one second to amaze me. It looks like Rust was designed to talk to every other language so easily. No kidding, it's clear way Web Assembly and rust have lots in common. Java is never an easy lang to interop with. Today I will show how easily we can interop Java & Rust. In order to do so, we will need to use the Java and Rust compilers. For Java, we will not require any other lib than the standard JDK. For Rust, we will need to create a lib project in cargo and we will need to use the crate JNI. I love this feature because java does not allow low-level code on the main language. So if we need to do something low level, efficiently Rust is my first choice, not only for safety reasons but because is really fast.  Let's get started.
read more »

HMAC in Java

Image
In 2018 AWS CTO(Vogels) said : "Security is everyone's job". For the last 2 years, there was so many famous and big data leaks and breaks that made that statement be very true more than ever. Security often could mean worst performance and worst user experience so in order to get it right you really need to think about the designs before jumping into to code and consider performance and user experience has main requirements.  I was thinking about writing about how to do HMAC in Java for a while and recently Redis 6.0.0 come out and to my surprise, there was a refactoring on the password part in order to use HMAC.  Security easily could scare engineers often because it is not something well spread yet but I believe this will change soon. It does not matter if you have to deal with PII Data or not, security is super relevant because everybody is running their workloads at the cloud or with IoT and Edge devices which means more distribution, more code, more points of fail
read more »