When Maria Schwenger looks into the future of software security, she sees a big role for artificial intelligence. Maria, who is head of app security and data protection at leading U.S. insurance company American Family Insurance, shared her vision with me during a recent appearance of DevOps Radio. “I’m convinced that AI will be a valuable accelerator for DevSecOps and could very possibly reform the way DevSecOps works today,” says Maria.
For the last few years, the “Sec” part of DevSecOps has been playing catchup with mainline DevOps practices, Maria says. “Security has been traditionally hard to do, but in the past we had the luxury of more time. We were working in a traditional waterfall model where everything was sequential, so we could take longer to do security.”
That changed with the arrival of modern DevOps and agile methods. “Think about how rapidly developers are releasing code today,” she says. “That means every sprint, every small iteration, needs to consist of the security cycle as well.”
In fact, the job of security and data protection has gotten tougher all around, she says. Cyber criminals today are much more sophisticated and faster to adapt than ever before. Meanwhile, software has become more vulnerable due to the spread of new technologies developers use to build modern applications. “API, cloud native, containers, Kubernetes—all of these things increase the attack surface we need to protect,” Maria says.
Competitive Pressure
Challenging market conditions are also compelling businesses to make DevSecOps a top priority. “There is more pressure for traditional DevOps teams to become DevSecOps teams,” she explains. “Businesses are actually demanding DevSecOps because that’s the only way to release rapidly and beat the competition to market.” In fact, that urgency is why the term “DevSecOps” was coined a few years ago, she says. “They put the Sec in between Dev and Ops because security professionals were forced to hurry and become an integral part of the DevOps culture.”
If anything, the pandemic has accelerated the push for DevSecOps and better cyber security. “COVID-19 really changed everything – the way we work, the way we shop, the way we dress,” she says. “With more people working from home, properly securing cloud applications has become a prerequisite. It really puts a lot of heat on the DevSecOps teams to come up to speed.” Today organizations need faster patching and testing capabilities, more staff to manage the extra requirements, and a greater overall awareness of the importance of security in the software development lifecycle.
Experimenting with Artificial Intelligence
Artificial intelligence may be just what organizations need now to help DevSecOps live up to its new responsibilities and drive digital transformation across the enterprise. Maria’s interest in AI dates back to her days working at IBM, where she helped build cognitive APIs and frameworks as part of the IBM Watson Developer Cloud. Artificial intelligence—augmented by machine intelligence—is the “next big thing,” she says. “It will be next accelerator in probably every single space of our technology for the next decade.”
But can AI and ML really boost DevOps efficiency and effectiveness? Recently, Maria and her colleagues conducted an “experiment” to find out. “We wanted to determine if AI could give us a different view of traditional DevOps, and if we could create a new set of DevOps metrics and tasks based on AI and ML capabilities.”
Maria is eager to share what she discovered from her foray into “applying AI within the DevSecOps space.” I’m curious as well, but unfortunately, Maria was reluctant to spill the beans on our podcast. That just means you’ll have to tune in to her talk at DevOps World later this month to get the full story.