Bringing InfoSec Into The DevOps Tribe

Q&A with Gene Kim (founding CTO of Tripwire) and Pete Cheslock of Threat Stack

Introductions

Gene KimFounding CTO of Tripwire

Gene Kim is co-author of "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win", founder and former CTO of Tripwire, Inc., and is hosting the upcoming DevOps Enterprise Summit.

Introductions

Pete CheslockSenior Director of Operations and Support at Threat Stack

Pete Cheslock is the Senior Director of Operations and Support for Threat Stack. He focuses relentlessly on the uptime of the Cloud Sight service and is passionate about supporting of the company’s ever growing customer base. Pete is a 15 year veteran of the technology industry and most recently built out the automation and release engineering teams at Dyn as well as for the Amazon-Backed cloud archiving company Sonian.

Q&A

Gene Kim kicks off the Q&A with a few questions for Pete:

Gene:

“How in the world did a nice DevOps person like you end up in the bowels of Infosec? Usually it works the other way around — the smart Infosec people flee to saner grounds like DevOps.”

Pete:

“I wasn’t specifically looking for a job in the Infosec field, but after getting introduced to Threat Stack, it opened my eyes to a whole new world I felt like I was missing out on.”

“What I saw was…”

“…a convergence of Infosec and DevOps much like we saw when Dev and Ops teams needed to fundamentally change their thought process in order to win.”

“As we see more and more companies of all sizes undertake cloud initiatives, deploying net-new projects into places like Amazon, Google and Azure, Infosec teams become the new barriers to progress.”

“I see a world where we [Threat Stack] can provide deep insight into services, users, and activities that these companies need, and provide this information to DevOps, Ops and Infosec users alike.”

“We can then embed this visibility and monitoring into the workflow, allowing companies to deploy more scalable and elastic infrastructure.”

“It will become more and more critical that businesses continually monitor and analyze the scope of changes to their systems.”

“And these monitors should be integrated early.”

Gene: Here’s a quote from Josh Corman:

“If there’s one message that everyone in Infosec should know about the DevOps community, it’s this:

DevOps is waiting for Infosec with open arms. Come on in, the water is awesome.”

“Do you agree with his thesis?”

“It’s been an exciting time as DevOps and the overall community around that movement has matured over the past 5 years.”

“Companies are making amazing organizational changes and fundamentally shifting how they do business online.”

“I see the same thing when it comes to Infosec teams and security-minded folks within companies.”

“But at many of these companies, the Security teams don’t have a seat at the table. They are getting shot down while the rest of the organization is making changes at an incredible rate.”

“So how can we enable Security and Infosec teams to embrace this new world of continuous deployment and elastic infrastructure?”

“Much like how we saw for the DevOps world, it will come down to a mix of culture change and improved technical applications that will facilitate the integration of Infosec into DevOps.”

“Much like how Chef and Puppet enabled teams to more effectively build and deliver highly scalable systems.”

“I see Threat Stack poised to deliver the tools to allow deep insight and visibility into the applications and services being deployed.”

Pete then had some questions for Gene:

Pete:

“It looks like enterprises like GE Capital, Macy’s, Target, and Nordstrom are early adopters of DevOps in the enterprise; how does Infosec need to change when

more of the Dev to Ops value stream migrates to DevOps patterns?”

“My belief is that we’re going to see the Infosec function transform just like QA/Test is transforming.”

“In other words, in high performing DevOps organizations, you very rarely see a QA department that is writing and running the tests.”

“Instead, QA is helping to coach Dev on how to write good test cases and ensures that the right feedback loops exist so that Dev can validate that they’re achieving the functional and non-functions requirements.”

“Infosec is not doing the security scans, nor is it pestering Dev and Ops to look at their reports.”

“Instead, they are helping to create the automated tools so that Dev and Ops can get fast and constant feedback on if the code and environment are achieving security objectives.”

“My favorite example is the three-year transformation of the Twitter Infosec function, which started when @BarackObama was hacked, resulting in a FTC injunction requiring that Twitter be secure for the next 15 years.”

“They integrated Infosec into the daily work of Dev and Ops with the primary mission of not getting in their way.”

Pete:

“How are fast-growing companies implementing the DevOps principles of ownership and accountability while

requirements for access tighten (SOC2/FISMA/PCI, etc.)?”

“The main obstacle for DevOps adoption in large enterprises is Infosec and Compliance, and you can hardly blame them.”

“For decades, both Dev and Ops seem to have done everything they could to fix security defects exposed late in the project lifecycle.”

“But what every Infosec and Compliance practitioner needs to know is that: DevOps is the best thing in

at least 20 years to happen to our field.”

Here’s why:

“1. When Dev and Ops embrace DevOps principles, we fully embrace all the non-functional requirements, like performance, quality, reliability, and yes, security.”

“We want to know when we’re writing or operating code or environments that aren’t secure.”

“2. Because DevOps organizations are constantly doing deployments, the “find to fix” cycle time is very short.”

“So the days of Dev or Ops taking nine months to get an urgent change into production are coming to an end.”

“3. DevOps value streams that sustain tens, hundreds or even thousands of deployments per day (i.e. Netflix, Etsy, Google), can’t be done without a ton of effective controls.”

“There are FAR MORE controls (i.e. security scans, performance testing, deployment validation) in a DevOps organization than in a traditional waterfall SDLC.”

Wrapping Up

Threat Stack is hosting Gene Kim at our AWS re:Invent booth (#742)

on Wednesday, November 12, 2014 from 11am-12:30pm for a free book signing of The Phoenix Project.

We look forward to seeing you then!

Start Implementing Continuous Code Security Today

threatstack.com