Should we incorporate a “Security First” mindset in DevOps? 6 experts weigh in
© Shutterstock / Omelchenko
Should you pay more attention to security when drafting your DevOps approach? Our experts think that security should be included in the initial development along with all other concerns about how the software should perform. We invited six JAX DevOps speakers to weigh in on the importance of security in a DevOps context, companies’ move to the cloud and how/if this trend will continue to grow in 2018.
DevSecOps: What’s in a name?
According to the tech-based research firm Gartner, integrating security into DevOps requires changing mindsets as well as practices. Collaboration is key to make the “Sec in DevSecOps silent”.
We set out to find out what’s in the DevSecOps name, whether people treat it differently than DevOps or if they already have a “Security First” mindset. Does this mean that Ops is no longer needed? Quite the opposite, according to JAX DevOps speaker Pierre Vincent, who says that “There is tremendous value in giving the opportunity to ops/sysadmins/infrastructure engineers to focus on things like platform reliability, relevant monitoring, etc.”
Before we continue the “interrogatory”, you might want to have a look at Gartner’s top 10 things any company needs to remember if they want to integrate security into DevOps. These common sense DevSecOps tips will come in handy if you are trying to incorporate a “Security First” mindset in your the DevOps approach.
In the first part of this interview series, we asked six JAX DevOps speakers to share their predictions for 2018 and pinpoint the characteristics that every good DevOps practitioner should have. Now it’s time to talk about DevSecOps, companies’ move to the cloud and how/if this trend will continue to grow in 2018.
Will DevOps stay as it is now or is there a chance that we’ll be calling it DevSecOps from now on?
The DevOps actors
Tommy Tynjä: Delivering software is so much more than just development and operations. There is not only the security issue, but also quality assurance, monitoring, fault-tolerance etc., so I see no point in bolting on security to the DevOps term.
It rather emphasizes a common problem in the industry, which is that security is often bolted on afterwards. It is something that should be in everyone’s interest and thus has to go into the initial development along with all other concerns about how the software should perform.
Pierre Vincent: There has definitely been increasing concern that security and vulnerabilities awareness was lacking in the DevOps effort. Teams are starting to integrate security scanning in their CI/CD pipelines, which is a great sign this is picking up. Tools like Vault have seen increasing adoption, showing that secret management is something people are concerned about.
To be honest, I doubt that the name will change and I kind of hope it doesn’t. As an industry, I think we have a tendency to rant too much on naming, sometimes losing sight of the great success of ideas (even if not everybody agrees on the name).
Secret management is something people are concerned about.
Michiel Rook: Sec definitely has its place in DevOps. I’m not sure whether we need to start extending the phrase.
Antonio Cobo: I think we will continue to use the term DevOps, but we will incorporate a “Security First” mindset in it.
Philipp Krenn: I’d say that “everyone is responsible for security”, which I think is the most succinct definition of DevSecOps, is part of DevOps. Having different silos and shrugging of responsibility should be a thing of the past.
Do we need another buzzword for it? I would disagree, but if you are publishing hype cycles or magic quadrants you will have a different opinion.
Do you think more organizations will move their business to the cloud in 2018?
Daniel Bryant: I believe more organizations will continue to move to the cloud, particularly SMEs. I’m assuming that the default mode of operation for a startup would be cloud-based, and larger enterprises are moving to the cloud as part of bigger “digital transformations”. The economics of cloud are powerful, as is the flexibility, the potential decrease in time-to-market for software products, and shared security model.
Tommy Tynjä: Leveraging cloud technologies is the next natural step for an organization adopting Continuous Delivery and DevOps ways of working. It speeds up infrastructure provisioning and setup while providing development teams with self-service infrastructure. This also allows the development teams to take ownership of the infrastructure where their applications run. I’ve seen companies get a big boost in terms of software delivery pace after adopting cloud technologies.
Leveraging cloud technologies is the next natural step for an organization adopting Continuous Delivery and DevOps ways of working.
Pierre Vincent: Most definitely. For 99% of organizations, maintaining and investing in their own infrastructure is not a distinguishing factor: best case scenario, they do it just as well as the competitors, worst-case the new startup on the block is already on the cloud on not spending any time on it!
As companies start recognizing that they draw their competitive advantage from what makes their business unique (and running your own infrastructure isn’t), I really believe that moving to the cloud is going to become a top priority.
It is not saying that we’re moving to a place where Ops is no longer a thing, quite the opposite: there is tremendous value in giving the opportunity to ops/sysadmins/infrastructure engineers to focus on things like platform reliability, relevant monitoring, etc.
Michiel Rook: With cloud services becoming available in more countries, more and more companies will be able to move, especially those that have a (legal) requirement that their data should be stored in a particular country.
Antonio Cobo: Yes, the gains in time to get your app up and running and the cost savings mean that organizations will keep moving to the cloud in 2018.
Philipp Krenn: It’s probably not a super hot topic anymore, but the trend will continue. Few companies have the knowledge and resources to run their own infrastructure better than the big cloud providers. They had their infrastructure patched against Meltdown before you even saw the security advisory, for example.
In the third part of the interview series, our interviewees weigh in on the containers-as-a-service boom and debate whether Java is ideal for microservices developments. Stay tuned!
Take a look at our interview series with last year’s DevOps influencers:
Are your calendars marked for JAX DevOps 2018? If you’d like to know more about the latest trends in DevOps and meet the top movers and shakers in the global DevOps scene, join us in London between April 9-12, 2018.