According to Gartner, DevSecOps is becoming one of the hottest topics. But how many IT practitioners understand it? No, it is not DevOps itself; it doesn’t talk about how to shift from the traditional waterfall dev to scrum-based agile development. Nor is it a pure security topic. So, how would a DevSecOps conference differ from the usual security and DevOps events?
In February, I found out. I attended DevSecCon in Singapore. The attendees and speakers were split between security and development professionals, so it was a really good mix between these two camps. Let me share three takeaways from the sessions I attended (with some selected quotes from developers at the conference, as well):
Dev culture change
“Every dev should take security training.”
“IT security is the responsibility of everyone.”
They also said that, while developers usually don't prioritize security, they really do need to fit into the security world. The developers introduced several challenges with securing apps and explored how they can leverage security in their culture or style. The overall sentiment was in favor of infusing security teams into their projects. Someone even suggested: “Security teams should be in customer meetings as early as they can, so that they won’t need to go back later to find the challenges.”
Security culture change
“We security professionals should try to be technicians, not just pointing fingers at developers.”
“I feel that security teams are not good at automating processes. They tend to default to manual processes.”
“We suggest security teams start by building a relationship with development teams.”
These three comments suggest that security practitioners can and should be part of development teams. I would say the struggle the security teams shared was the other side of the coin: security staff want to know how they can be better advocates for DevOps projects. They know they shouldn’t be a blocker for development and that they also need to implement some of the toolchains or processes DevOps uses. This is why “Shift left” – the idea that seemed to be a big topic in RSA Conference SFO 2019 as well – was mentioned widely at this event. It is necessary not only because security professionals want to elevate their value, but also because they see it as the only way they can adapt to the digital business era.
Talent
“Organizations tends to hire more developers, while forgetting to hire security people. As a result, scaling security teams becomes an issue.”
“Lack of application security talent is the root cause. Most of those who apply for app security positions are network security people.”
Another issue that was highlighted was the shortage of resources and talent. As you can see from these comments, application security positions are not easy to fill. Security teams struggle to scale while their organizations focus on accelerating development to fulfill business needs. Of course, toolchain and automation should fill this gap by making the security team’s job scalable and faster. I felt that should be just the first phase. In the long run, both DevOps and security jobs should be simplified enough so that both DevOps and security talent can do both roles.
***
The culture within this space isn't easy to change, but everyone knows it must. It was interesting to see how speakers from both security and development teams had common themes, struggles, and suggestions. The shared idea: it's about how developers and security people unite as a single team with the same goals. The good news is that many toolchain vendors and solution providers now focus on this simplified approach. It's a kind of democratization of software engineering technologies, as well as security solutions. So, we are all moving toward this direction.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...