In the latest installment of DevOps Radio, David Habusha, vice president of product at WhiteSource Software, explains to host Andre Pino how he first got into cybersecurity, after starting his career in open source. As the founder of a privacy company, David discusses the intersection of security, DevOps and open source, or DevSecOps.
DevSecOps is a very hot topic for DevOps practitioners right now. David notes that CI/CD tools today allow for event-based actions in software development that are essential to maintaining security hygiene. One of the challenges David has observed in DevSecOps adoption, though, is that standardization – whether it’s tools, languages or location - can be difficult. However, even if organizations have all the tools and processes in place, they still need to secure the gap between them while generating harmony between teams. To truly succeed in putting security in DevSecOps, organizations need to shift security left in software development, but first developers need to ditch their lack of interest for automating security testing at all.
In combination with DevSecOps, David then circles back to the topic of open source software usage, noting that adoption is booming. A reported 80 percent of all software contains open source components (this has doubled since 2017). While use of open source shortens time to market and taps the innovation of a wider community, organizations need to closely monitor open source (and all software) for potential vulnerabilities.
David leaves us with the final advice: Keep it simple. Developers don’t need to interfere with working processes to maintain a highly secure environment. This can instead be achieved with awareness, and having the right processes and tools in place.
Want more DevOps insights and advice? Check out our previous episodes or subscribe to DevOps Radio on iTunes or Spotify. You can also join in the conversation on Twitter by following @CloudBees and use #DevOpsRadio in your Tweet.