Marc Cluetis an organizer of London DevOps, DevSecOpsDays Londonand DevOps Exchange Barcelona, and technical practice lead for the digital accelerator platform at Nationwide Building Societyin the UK.I recently spoke with Marc about how we have reached the current state of DevSecOps.
What was it that made you start organizing DevSecOpsDays in London?
Marc: in the past, I have been involved with and organized events such as WebPerfDays and DevOps Days and because of this I was approached by Mark Millerto see if I would be interested in running DevSecOps Days here in a similar unconferencespirit. I found the idea challenging and positive—my aim has always been forany events I organize to beable to give back to the community and there was certainly a space for a DevSecOps unconference in the UK.
How would you describe the DevSecOps community in the UK? How is it different from the rest of the world, do you think?
Marc: I would say that the DevSecOps community in the UK is one of the most forward thinking and advanced in the world. It encompasses all kinds of sensibilities, especially in a place like London where you have so many strong businesses in a single place, which is hardly reproduced anywhere else in the world.Helen: How do you define DevSecOps?Marc: DevSecOps builds on the culture and collaboration fostered by DevOps to ensure that security is a first-class citizen and involved on the creation and evolution of software from the beginning rather than being an afterthought.
When organizationsmove products and services into the cloud,what considerations do they need to maintain or improve their security posture
Marc: Definitely improve; most organizations come from a world where the security lens was applied too late in the process. With cloud in general being a zero-trust zone, it is extremely important to improve the security posture and have the security teams embedded as much as possible. We all have seen what happens when that is not the case, full buckets of confidential information available on S3 as an example.
How would you characterise the relationship between cloud and DevOps and DevSecOps?
Marc: They are all interconnected as they are part of what I call the “rubber bands” theory; each change and advance in technology, process or security accelerates that area which in effect pulls the other areas to accelerate or create a tension, like a rubber band connecting them. You don’t want that dependency or connection between different areas to snap as that is what creates internal tension in organizations. Cloud accelerated the platform, which enabled DevOps methodologies to be more effective which at the same time created the need for more integrated security and the shift left which DevSecOps enables.
Why are certificates still a challenge for DevOps?
Marc: Certificates used to be a very awkward thing, which required a lot of manual validation and interaction. Thanks to efforts like Let’s Encrypt, that popularized the use of APIs for certificate validation, and the ability to self enroll into delegate CAs makes certificates a lot easier than theyused to be. I would say it might still be a challenge but it is one now that can be coded and properly maintained, adding Kubernetes cert manager or Vault on top of that (or any other secrets solution) makes things extra amazing.
Is there a reference architecture or common toolset you look to as a model for engineering teams wanting to improve security around their product, pipeline and platform?
Marc: There are several. I would say this depends very heavily on the application itself and the nature of it, monolithic applications will have slightly different hardening and security review techniques than microservice or serverless apps. I would recommend looking at studies from the DevOps Institute as across industry standard references, which are reflected in their own publications and also of IT Revolution Press.
Do you think bug bounty programs are a legitimate way for an organization to crowdsource security testing or are they a PR exercise and kind of lottery for threat hunters?
Marc: Bug bounty programs definitely are a good way to incentivise scrutiny of your application by the broader security community. The thing that I find sometimes lacking is a bit more clarity about risk, governance and responsibility. We have all seen cases where vulnerabilities have been reported to either find a wall on the other side or being directly reported to the authorities.Helen: What does ‘good’ DevSecOps culture look like and how do organizations create and nurture it if they don’t already have it?Marc:DevOps culture is intrinsically related to the business organization and overall culture as well, I would say there is no one model fits all, but best practices definitely do help. Make sure security is embedded in your processes from the beginningand be able to work hand in hand with the teams, shifting left and budgeting for security from the beginning.
What mechanisms or practices do you recommend product teams use to measure their value outcomes?
Marc: Great question! First of all I would say the evolution of project minded to product minded outcomes is one of the biggest shifts we’re seeing in the industry. This goes hand in hand with agile delivery and empowers DevOps to do what it does best as well. Based on the shape of the product and the target consumer base there are different business metrics to be able to measure it successfully, but if I had to distill this down to the most basic it would be around time from ideation to market and pivoting potential, both very useful for the heavily competitive market we live in. I’d recommend reading ‘From Project to Product’from Mik Kersten and ‘Flow’from Fin Goulding and Haydn Shaughnessy for further inspiration and ideas.
Will DevSecOps live forever?
Marc: I’m not really the one to say, but I think that it will be around while it is useful. I really hope for a future where security is so integral that we don’t need new portmanteaus to characterize it.
- DevSecOps: Minimizing New Attack Surfaces for DevOps [Interview with Mitchell Ashley]
- What Is Your DevSecOps Manifesto? [Interview with Larry Maccherone]
- US DoD Reference Design for DevSecOps [Interview with Nicolas Chaillan]
- DevSecOps, SecDevOps, or RainbowMonkeyUnicornPony? [Interview with DJ Schleen]