Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native Security Day EU 2021 / 14 May 2021
Cloud Native Computing Foundation / Cloud Native Security Day EU 2021 / 14 May 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Lightning Talk: It’s pronounced ‘DevOps.’ The ‘Sec’ is silent. - Dormain Drewitz, VMware Tanzu

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Lightning Talk: It’s pronounced ‘DevOps.’ The ‘Sec’ is silent. - Dormain Drewitz, VMware Tanzu

A common roadblock in realizing DevOps outcomes is security. In this lightning talk, hear how the security landscape has changed and is forcing a DevSecOps mindset to achieve DevOps outcomes.

A

And I'm going to jump right into it, because this is a lightning talk and it's going to go by fast. Today, I'm going to talk to you a little bit about why, if you're doing devops right, you should be solving for security and that's where, of course, a lot of these cloud native security concepts and technologies come into play in terms of being able to deliver those outcomes.

A

Now we can't have a talk about devops without defining devops and we could spend all day or all year on this, because if you ask 10 people what devops means you'll get maybe 20 answers, but if we take a look at the wikipedia definition, because no one's allowed to argue with wikipedia what you'll see is that there's an emphasis on the practices? Yes, there is a tool chain, but it's really about the practices that lead to this outcome: shorter, shorten, the development uh systems, development life cycle and you get high quality software.

A

To paraphrase the goal of devops is shipping higher quality code faster and more frequently and, of course, to production where it matters now.

A

Why does this matter from a security perspective which is actually, if you look at the number of common vulnerabilities and exposures that are getting reported every week, you see that over the last 10 or so years, basically, since devops was born, there's been a 3 to 4x increase in how many of these cves are getting reported every week. Part of this is just we have more software we've been kind of in this.

A

You know explosion and growth of the software industry, taking over all kinds of industries or, as mark andreessen said, software is taking over the world um software's eating the world. That was his quote from about 10 years ago, and what we can see is that that brings along with it a lot of vulnerabilities, more code means more vulnerabilities, and how do we manage all of it now?

A

If you kind of deal with that sort of at the end of your software development life cycle, uh you get this kind of kind of crazy effect where you're just getting hammered with the amount of code that needs to be scanned and remediated, and it feels a little bit like the scene.

A

Out of I love lucy when they're in the chocolate factory and they can't keep up so the conclusion that we have here is that we need some amount of automation, it's essential when you factor in just the growth in the number of cves out there, the growth in the amount of code that's trying to get out into production, and then you take into effect things like containers as sort of uh one of the staples of devops tool chains and how they're very ephemeral so, instead of patching and hardening a vm that we're going to keep in production for a long time, we want to throw it away and rebuild it again.

A

So we're going to need a lot of automation to deal with that now, there's kind of looking at this is we can't just automate at the end. We need to sort of cause security to happen in more places. Some people talk about this as shifting left or expanding left and there's a couple things to consider here.

A

One is just on the design side, and how do you educate more developers to be mindful about security practices, but there's also thinking about how do we automate in security points of control along the entire development and deployment life cycle? And that's really where you start to kind of get into some of these uh cloud native security technologies? Where you can think about hey? How do I get code from development into the into the hands of customers and in front of users? And what are my points of control in that life cycle?

A

Knowing that we're going to go around it again and again and again now, even the best laid plans, if you develop a system to do this, if it's painful to use developers are going to go around it and take the gumdrop path um and that's not because they're bad people, but it's because they're just trying to get their job done now. This was actually a really great insight that was shared in the state of devops report from last year, which is really about.

A

You have to make these platforms a compelling option, and this becomes really important when you've designed these platforms to help solve all these critical security needs, whether it's scanning or points of remediation and control.

A

You you spend all this effort to do that, but then you don't want developers to go around it, so you have to have them in mind as the customer. So how do you make it a developer friendly thing, so this is kind of the the formula to think about the the mathematical proof. If you will, that gets you to when you think about the outcomes you're trying to achieve the challenges that security brings in as well as things like the ephemeral nature of containers and behaviors that developers exhibit.

A

You really need to automate this whole platform and life cycle in a developer friendly way, and you probably need to be thinking about that on a constant basis with a team. That's really thinking about a developer friendly platform.

A

So at the end of the day, if you're doing devops, right and you're doing it on an ongoing basis, then you've solved for these security challenges. Now, if this was interesting to you, I have a 43 minute version of this talk that you can find you can. Google it's pronounced, devops the sec is silent, because this bright talk url is probably going to be impossible to memorize.

A

So with that, I want to say thank you and enjoy the rest of the cloud native security day.