Rob Juncker, CTO of Code42, and Gene Kim, author, researcher and founder of IT Revolution, got together (virtually, of course) to talk about the post-COVID world and how the fallout has opened the door for organizations to build a powerful new DevSecOps culture. Their conversations often involve wonderful tangents that neither could have expected.
Rob: Gene, great to see you. Glad everyone is healthy and safe. This new way of working took some getting used to, didn’t it?
Gene: Yes, it was weird for a while, wasn’t it? But, when you think about it, the way we work has been slowly changing—starting way before anyone had ever heard of social distancing or flatten the curve much less the coronavirus. For years, the rise of cloud computing, digital transformation and improved collaboration tools have made users more remote, more distributed and more mobile. COVID-19 just accelerated all of it when it sent millions of workers to home offices and dining room tables and away from hardened data centers.
Rob: At first, everyone scrambled to enable this new workforce, and it put strain on existing network infrastructures that were built to accommodate a much slower, more deliberate transformation to the Future of Work. Broadband was stretched thin and VPNs overwhelmed. Yet we’re going to have to continue to accommodate remote users by enabling application and data access for distributed users without impacting performance.
Gene: Unfortunately, companies were focused on access but not security. Opening up access to distributed users introduced a whole new level of risk that organizations didn’t have to think about before. The market demands that products continue to evolve and code continues to be written—but at what cost?
Rob: It’s clear that organizations need to re-architect development infrastructure and processes for a post-COVID world. The problem is that security has traditionally been seen as a roadblock to development agility. It’s typically been separated from development, siloed with its own tools and processes. Code, perfect from the developer’s perspective, gets rung through the security ringer where it’s torn apart and watered down. It adds cost and complexity to efficient software, increases tech debt and slows time to market. The perception is that when development says yes, security says no.
Gene: Yes. There’s absolutely an opportunity to change the Security-Development dynamic in the post-COVID world. Rather than sit outside the development structure, security can be integrated directly into DevOps processes—implemented seamlessly throughout the software lifecycle at the speed developers, the market and users expect.
Rob: This is easier said than done, of course. As we look to the future, how should companies think about that?
Gene: Companies need to build meaningful connections between developers and security, and this begins with personnel. In the pre-COVID world, this meant seating security and development teams together in a shared space to encourage informal interactions that lead to collaboration. As we know, this is impossible in the post-COVID world where people work remotely either all or some of the time. Instead, cohesive interactions need to be facilitated virtually for the long term through video conferencing and other collaboration tools. For example, a member of the security team should be part of the daily standup—updating developers on new security developments and contributing to the overall discussion of bug fixes, new features and product development from a security perspective. The key is to facilitate a discussion of risks and how to mitigate those risks throughout the software lifecycle.
Rob: You can do the same with tools. Traditionally, developers created code and then sent it to the security team to run through checks. Risks would be identified, but developers had little incentive to seek out feedback that was buried in a separate tool. Feeding real-time security notices and alerts alongside compiler warnings can make developers think about security throughout the process rather than as a check at the end. This saves time, reduces errors, speeds time to market and eliminates much of the conflict that occurs between teams with seemingly disparate goals.
Gene: That brings us to best practices. A DevSecOps framework gives developers an easy shortcut to implementing security controls and services as they code. Rather than imposing security later in the process, these snippets can be pasted into code right in the development platform—ensuring a seamless integration.
Rob: What about self-service IT? We’re always getting users trying to spin up a new resource outside the boundaries set up by the security team. Creating an intuitive, scaled-down version of your security framework that non-developers can use allows non-developers to innovate quickly within boundaries defined by DevSecOps principles.
Gene: This has implications beyond the development team. Accelerating the Future of Work means that nearly every department is now doing things that were never intended to be done from outside the data center. For example, customer billing has needed to continue while the finance team works from home. This likely requires pulling extremely sensitive data from a highly-secure SAP database that is subject to strict compliance requirements. A close relationship between the development and security teams can lead to innovations that enable these secure connections without adding too much latency or impacting productivity.
The world has changed – it’s clear this is not a temporary state. We have to make sure that this new way of meeting dynamic user, customer and market demands is secure.
Learn how Insider Risk has changed since COVID, in the 2021 Data Exposure Report.