Yesterday we, along with about 800 security professionals, attended the DevOps Connect: DevSecOps session at the RSA security conference. This one-day event brought together dozens of security practitioners to share real world stories, learnings, and best practices for integrating security into DevOps initiatives. Speakers included Paula Thrasher, director of digital services at CSRA and regular C9D9 panelist , CloudBees advisor and DevOps author John Willis. Our friends at Sonatype and several other vendors also had displays.
Making DevSecOps the Path of Least Resistance
Not surprisingly, there were a number of common themes in the presentations:
Understand the cost savings from detecting and fixing problems early
Secure "from the start" by making developers responsible for securing their code
Secure the pipeline as well as the code
Enable better communication and visibility/auditability
Enable teams to identify problems and fix things quickly
Surprising Data
We took the liberty of surveying attendees about their DevSecOps journey and discovered, not surprisingly, that Security needs to shift left:
38% discover problems in the QA or UAT stage, 26% discover problems in Production
20% said it would take more than a week to produce an audit log, 7% couldn’t do it at all
40% said they didn’t have a secure, versioned or audit-friendly pipeline
40% said it would take more than a week to add a new security tool to the pipeline, 2% said they couldn’t add a new tool at all
30% said it would take more than a week to identify and patch compromised or vulnerable components, 2% also said they couldn’t do it at all
Most attendees were confident in their pipelines and practices. However, the data clearly illustrates that many teams have a long way to go to become equal members of the software delivery process. Check out our webinar, “You Build It, You Secure It” with John Willis and our own Anders Walgren, as they explain the ways you can for make the “Sec” in DevSecOps silent.
Coming soon on Continuous Discussions:
DevSecOps from the ground up
Stay tuned for the May 1 episode of our #c9d9 video podcast which will be also dedicated to DevSecOps, featuring panelists John Willis, Paula Thrasher, Chenxi Wang, Derek E. Weeks and Alan Shimel.