The Next Wave of DevOps: Security as a Team Sport
bfuller
Posted on October 31, 2023
Recently I wrote about the Next Wave of DevOps in my blog “Threads of the next wave of DevOps”, and I also wrote about toil. In my mind, the most interesting shift is the focus on security first.
Folks might think of security in one of two ways. There’s the DoD way where we use militarized terms to describe what we are doing: blast radius, attack surface, and threat model. Or hackers (ethical or not). You might even think of the supply chain hacks like Solar Winds. This involves 3rd party software that unknowingly enabled hackers access to your data. Generally due to a vulnerability in the software that hackers exploit. The data accessible can range from company secrets to private data like your medical history. It’s nefarious and it’s invasive. One that requires full teams of people at companies to track, and squash.
In both instances, we think of a threat coming for us. We are fortified. That has its place as cyber-attacks are up and expected to increase exponentially with the addition of GAI. We acknowledge that the outside attacks are still happening such as nation-states hacking into Atlassian and the cURL CVEs. It’s only a matter of time before we have our next all-hands-on-deck vulnerability. So we need protections and reasonable protocols.
These attacks will continue to drive mandates such as the executive order around SBOMs. There will continue to be discussions around how best to implement, how to avoid security theater, and simply create a secure environment. I welcome these discussions. We know that we need to be fortified, but as our Director of Engineering Audrey Eschright says, sometimes the call is coming from inside the house.
In addition to products that help fortify, we need products that make secure practices easy and sustainable. That’s where the Next Wave companies shine. They are doing this using guardrails, insights, and best practices that are baked in. That makes security second nature for everyone, without expecting everyone to be security experts.
Combining hard security requirements and more secure practices is bound to make the lives of our Security experts easier. There’s no need to shift left. The products shifted for folks.
The call is coming from inside the house
What do I mean when I say, the call is coming from inside the house?
I’m talking about things like the impact of hallucinations, and how having unknowns is going to become the big bad. More practically, I’m referring to protocols that are so stinking hard that folks find a way around – and then become a security risk.
These are not malicious attacks, they are caused by people who are just trying to do their job, meet their OKRs, and not get paged in the middle of the night. Belts are being tightened and teams are smaller than we would like. We are living in a world where we are all a little bit tired. No one has the bandwidth to take on yet another job.
We need to have the care and attention for our internal teams to ensure they can get their work done and don’t inadvertently implement something that puts companies’ proprietary information at risk. We need guardrails. They need to be easy to implement, guardrails that meet people where they are at.
Get out of the factory
We often think of security as a system in the chain, as part of the CI/CD pipeline, or included through policies via a vendor like OPA, or a spreadsheet of vulnerabilities.
I prefer to riff off the analogy Adam Jacob used. We aren’t working in a factory, we are playing in a professional sports league. If we imagine security is the goalie, we integrate differently. We practice together, fill in for security, double up, and mostly try to keep the ball away so they don’t have to make the diving catch for us. Security knows the plays and they are an integrated and active part of the team.
We should move past our current model where we keep security in a pipeline: they have a place, a single place, which creates a bottleneck. This place often has workarounds, and gaps, which force security to chase down information. When security tries to enforce rules,, they come across as the heavy. Next Wave companies are changing that paradigm by being more opinionated about how everyone contributes.
It’s time.
This doesn’t mean Next Wave security tools will hinder your creativity; it means their tools allow you to be creative and to innovate safely, while also reducing your cognitive load.
The guardrails that meet you where you are at
AppMap
Maps and analyzes your code – and its quality – and ensures best practices are being followed BEFORE it lands in production. AppMap reduces your risks before they cost you.
DryRun Security
Provides you with security context at the source – when writing your code. This makes security your goalie who knows the plays from the get-go.
OpenContext
Provides insight into what is in your system, from code to artifact to cloud, and finds your unknowns to make them known. Tracks your subject matter experts so folks can team up, working in their respective cohort to identify where best practices are working, implemented, or in need of calibration. Think of us as git blame for nice people!
Overmind
Helps you understand your infrastructure making it approachable for platform engineers to grow and maintain their infrastructure.
Stanza
Stanza helps you to plan for, react to, and automatically survive many production problems, including traffic management, resource protection, or rate-limiting generally..
System Initiative
Ensures you have the appropriate structure and guardrails for your infrastructure out of the gate, no guessing. Baking in the guardrails to reduce your lift allows folks to focus where they need, building, maintaining, and scaling their modern-day infrastructure with all its complexity.
Security is more than vulnerabilities, threat models, and assessing attack surfaces. It’s the guardrails that reduce your cognitive load by integrating seamlessly with the way you work today. The Next Wave companies are meeting you where you are at, so you don’t have to wonder where the call is coming from.
All of these companies have a beta or a GA product you can try out.
Posted on October 31, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.