The challenge to get security being something that's built in, not bolted on.
Read the related ESG Blog: Talking About Linking Development and Security
Mark: I've been trying to catch up with some of my ESG colleagues to see what's changing in their areas of expertise and study as the year goes on. Doug Cahill is with me today. Now, we've talked a number of times, Doug, about, obviously, your beat and security in general. One of the things that I know you've emphasized many times is the challenge to get security being something that's built in not bolted on. And one of the places to build it in is not just with systems and with equipment, but of course, is with people. And so what I was interested, I know you've been thinking and writing about this, is the link between the development teams and security.
Doug: You bet, Mark. I mean, the context that a cybersecurity program is comprised of: people, process, and technology, sometimes we sort of over-index on the last part, on tech. And if we think about the new methodologies and how we're deploying and provisioning modern infrastructure, i.e. continuous integration, continuous delivery, DevOps methodologies, it really, for some, from a security perspective, sort of upends how we do things. Now, at the risk of being pollyannic, because I can be an idealist, I actually view this as an opportunity. I think, you know, too often, security has been bolted on and if we integrate security every step of the way, the way we do software development, software delivery, QA and test and then into production, that we can actually move the needle. We can improve an organization's security posture. But the problem is, there's different perceptions from the Dev team and the security team.
Mark: About what's needed or who's responsible?
Doug: It's really, sort of, about competing objectives, right? Developers are charged with getting new code into production as soon as possible for new revenue opportunities. Security team wants to be more diligent. They want to put on the brakes, slow things down, secure the whole stack. And, you know, a security person said to me once, you know, DevOps is like running with scissors.
Mark: And a DevOps person said sure.
Doug: Yeah, why would I include security? It's gonna slow me down. So really, it's understanding that security really is a shared responsibility between the two teams and as long as the security folks give the developers security controls that integrate with the development tools they're already using, then we can integrate and automate and we can do things like static testing in our development code, composition analysis. We can do vulnerability checks and configuration hardening before going to production and then automate the provisioning of runtime controls in production. So, that's the pollyanna part but I think it's actually an opportunity. We can introduce security every step of the way so it is bolted in and you gain more operational efficiencies as well.
Mark: Is your point here and in what you wrote, is your point to highlight a best practice that is happening or to alert people that this is something they better do or we'll fall down worse?
Doug: Great question. So the research we did last year in this area indicated their strong desire in understanding the use cases so there's market interest in leveraging continuous integration in delivery to automate security but a lot of professionals don't know where to start. And that's really what the article I wrote is about. Here's five ways to get started both from a people and process perspective but also a technology perspective.
Mark: Right. So less pollyanna more kumbaya really. We need to go and, you know, start holding hands. Not just believing the future will happen but this is a way that you can make it, not a future but a secure future can happen if you actually talk to your colleagues.
Doug: A more prescriptive way on how to move forward with what's widely called DevSecOps. The term doesn't really matter. It's really just bridging the gap between developers and security teams to integrate and automate security. You know, we've got to fill the void on being more prescriptive on, hey, where do I start? What are the Agile user stories I should write, for example?
Mark: All right. No, thank you. Before we close this down, promo for the blog and the full article?
Doug: Yes, it'll be published later this week on cybersecurityhub.com, so cshub.com.
Mark: All right. Thank you for watching.
