— This is Part 4 of Load Impact’s Velocity NY Preview Series. Load Impact is chatting with some of the cutting-edge developers and executives who will be speaking at Velocity NY Oct. 12-14.
For a long time, the relationship between security professionals and developers was pretty contentious and maybe even a little adversarial.
Developers would spend a bunch of time writing code before pushing it to a staging area only to have security tell them it can’t be deployed. Both parties had the best interest of their organization in mind, but there had to be a better way for them to get along.
Security expert Ty Sbano says the onset of the Continuous Integration/Continuous Delivery (CI/CD) and the DevOps revolution has changed that relationship for the better — at least in his experience.
“Security needs to be empowering the business,” Sbano said. “DevOpsSec is one of the patterns that enables the automation and the transparency to give businesses what they deserve and need. That’s the ability to quickly deliver better service to our customers.”
Sbano will be presenting “Security with the Speed of Continuous Delivery” alongside Tapabrata Pal Oct. 12 at Velocity NY, in which they’ll tackle how security fits into the CD cycle and share experiences from their time within Financial Services.
The old method of infosec used to be certifying every piece of code before deployment, or creating “security gates,” as Sbano put it. Having hard security gates with sign-off for all code is just not realistic in a CI/CD cycle, but he said the dissipation of gates is a good thing.
Sbano’s point is if a bug is released in a software update now, it might only be out there for a few days, maybe even a few hours. Before, a security vulnerability might not be caught for 18 months, which would obviously be a much bigger problem.
And Sbano said security through CI/CD and DevOps can strengthen the cohesiveness of the infosec and development teams.
“If we’re continuously identifying bugs through automation and manual security techniques, we can move forward quickly by addressing technical debt through the speed enabled by Continuous Delivery,” Sbano said. “Because of our partnership with development and architecture, we’re fixing bugs at a faster rate because we have the opportunity and the resources. That’s created a better partnership to achieve high-quality code. If there is ever a show-stopping vulnerability, DevOps enables us to roll back or remediate quickly. Everyone wins together.”
Focus on the problem, then find the tools
Even though Sbano and Pal will be sharing their experiences from Capital One and other past roles, Sbano was quick to point out that this talk won’t be specifically about the tools they used. It’s more about the ideas that got their security and development teams working in concert and efficiently deploying new software and updates.
“I’m going to be vendor agnostic,” Sbano said. “The goal is really around education. What are you going to do with static analysis? What are you going to do with that manual penetration testing? How do you wrap all that stuff together?”
Sbano also said he and Pal won’t be looking to “change anyone’s mind” on security’s role in CI/CD or persuade them to adopt their line of thinking. The main goal of the presentation is to share their experiences: What’s worked, what’s failed and what they did to pivot after failing.
Security is cool — seriously
Now that the relationship between developers and infosec is strengthening through CI/CD, Sbano said security doesn’t have to be viewed as an albatross for companies to carry.
“There are really good models and examples when it comes to training and the mindset of security in your organization,” Sbano said. “Security is becoming pretty cool. People are thinking more about it.”
Part of people thinking more about it has been the rise in security-focused talks at conferences such as Velocity, Sbano said. While the conference has historically focused on web performance and development practices, the community has embraced infosec’s role in efficient web development and innovation.
“Velocity is highly regarded,” Sbano said. “It’s my first time going a little out of the security world to speak at a conference, but a lot of people have told me that Velocity is a great place to do it, and I’m excited.”