Last week, my fellow Scyphers and I attended and exhibited at our first DevSecCon in Seattle. The event included presentations by industry experts and networking opportunities, making it an invaluable event for anyone working in development, DevOps, or security. After attending sessions and interacting with attendees at our booth, here are my key takeaways:
- Security has to empower development teams for a faster AND safer go-to-market: Tanya Janca (keynote speaker) talked about how security practitioners need to understand that businesses today win by bringing innovative services to the market faster than their competition. As a result, development teams typically are given hard deadlines by business teams.
Most developers view security teams as a threat to these deployment deadlines. They dread the prolonged cycles spent with the security team doing code reviews, credential management, and embedding of controls. But security-related issues in production can be very costly for businesses. The security team has to strike a balance and can achieve this by enabling development teams with nimble, frictionless controls for secure, rapid application releases.
- Security must be free for developers: In order to support rapid application release cycles, security must be frictionless to implement for developers. Hongyi Hu (Dropbox), a panelist at the event, suggested that security controls should be easy to implement and seem as if they are “free” for the developer (in other words require minimum effort). In addition to automation, he mentioned the use of standard frameworks that make it easy for developers to embed security controls and meet compliance requirements.
At Scytale, we started the SPIFFE.io project to make service authentication “free” (effortless) for developers. SPIFFE provides a framework for security teams to make service authentication available as a consistent “dial tone” for their development teams across heterogeneous platforms. Companies such as Uber and Square are implementing SPIFFE to decouple authentication from engineering cycles while at the same time ensuring secure communications.
- Embed security engineers as part of DevOps Organizations: DevSecOps doesn’t require drastic changes to organizational structures. Julien Vehent (Author, Securing DevOps), advised leaders to embed security engineers into existing development and operations teams in more of a matrix organization. This lets them simultaneously collaborate with DevOps teams daily and share best practices from across the organization.
- Storytelling is a skill security staff needs: I thought storytelling was a skill reserved for the product and marketing mavens but multiple speakers at the conference talked about how security staff needs to become more like storytellers and educate development teams on the repercussions of insecure applications and services. One example of such storytelling would be sharing a news story about a recent breach at an organization that happened due to credential leakage, what it cost the organization, and how it could have been avoided.