►
Description
George Gerchow, the chief security officer at Sumo Logic, talks about applying security early in the app dev process. He’s found that many companies are taking the old waterfall approach to security even in the container and Kubernetes world – waiting until systems are running in production to worry about security. “By then it’s too late. You either pay for it now, or pay for it later.” He votes for securing it now so you don’t have to pay later!
A
Hi,
my
name
is
Jorge
gure,
Chow,
chief
security
officer
at
Summa
logic.
Some
of
my
roles
and
responsibilities
are
working
with
a
great
team
who
handles
audit
and
compliance
platform,
security,
which
is
protecting
customer
datum,
as
well
as
an
automation
team
which
does
def
sec,
ops
and
then
a
federal
function
as
well.
So
sumo
logic
is
a
leader
in
continuous
intelligence.
We're
a
big
data
analytics
company
hosting
100%
in
the
cloud
and
our
customer
data
is
very
sensitive.
It
can
be
anything
from
phi2
PII
to
IP
and
we
can't
afford
to
be
breached.
A
I
mean
if
we
get
breach
as
a
SAS
based
company.
We
could
be
out
of
business
overnight,
so
there's
no
room
for
error
at
all.
When
it
comes
to
security,
so
we
have
to
get
out
in
front
of
emerging
technology.
So
one
of
the
things
that
we've
noticed
is
that
the
emergence
of
kubernetes
and
docker
and
container
stacks
a
lot
of
people
are
waiting
until
it's
in
production
well
by
then
it's
too
late.
A
So
if
you
don't
pay
for
it
now,
you're
definitely
gonna
pay
for
it
later,
so,
I
think
getting
in
front
of
security
and
embedding
it
and
baking
in
early
on
throughout
the
container
stack
in
the
CI
CT
pipeline
is
mission-critical.
So
when
we
started
thinking
about
emerging
technology
like
containers,
we
need
a
solution
that
number
one
could
scale
like
that's
massive
to
us
with
scale
in
scale
out.
You
know
it's
a
complicated
type
infrastructure
that
we
support.
A
A
We
wanted
to
have
everything
in
one
location
to
make
sure
that
policies
were
set,
centralized
and
then
controls
were
adhered
to
in
that
one
centralized
location
instead
of
a
solution
where
we
had
a
bunch
of
different
open-source
site
things
trying
to
pull
everything
together
so
that
chain
of
custody
and
evidence
of
compliance
along
with
the
scale
and
then
writing
in
seamlessly
with
our
CI
ICD
pipeline,
was
absolutely
critical
to
us
to
our
success.
What
made
stack
rocks
so
attractive
to
sumo
logic
is
the
fact
that
number
one
is
deployed
in
kubernetes.
You
know
for
us.
A
We
wanted
a
partner
that
drank
their
own
champagne.
If
you're
gonna
manage
and
secure
and
give
you
visibility
into
kubernetes,
you
should
be
deployed
in
kubernetes.
The
second
thing
is
audit
and
compliance.
So
that's
big
for
us
we're
very
highly
regulated
everything
from
my
cell
27
once
they
saw
our
PCI
HIPAA.
The
list
goes
on
and
on.
It
seems
like
it
never
ends,
and
so
he
wanted
that
evidence
of
compliance
to
be
in
one
location
and
then
to
be
able
to
essentially
set
policy
which
was
also
critical
to
us.
A
The
last
piece-
and
this
is
just
scratching
the
surface-
was
vulnerability
management,
so
to
be
able
to
tell
that
if
a
developer
makes
a
call
to
dr.
hub
and
then
tries
to
introduce
software,
that's
not
validated
and
signed
back
into
production.
That
was
key
for
us
and,
along
with
the
CBS
s
scoring,
it
was
just
a
homerun.
So
when
sac
rocks
really
brought
to
us
was
a
turnkey
low,
friction
solution
that
added
a
ton
of
value
and
easily
fit
into
our
pipeline.