Two years ago, at Black Hat, I produced a silly video asking attendees if security and developers should be in couples counseling. Everyone agreed, yes they should be, but the response from the predominantly security audience was “they should just listen to me.”
If you’ve ever been in couples counseling, you know that technique doesn’t work, no matter how right you think you are.
Developers and IT have already started a great party called DevOps and security has some serious FOMO. The InfoSec team is trying to get involved by placing themselves at the front (shifting left) or inserting themselves (DevSecOps) into the process.
It’s a rather self-interested goal.
Instead, “work within their existing processes,” said John Prokap, former CISO, HarperCollins.
What would that be? I asked security professionals, “What is it that security is already doing or could do that would be embraced by DevOps?”
Here’s their advice.
1: From the bottom up and the top down
“Tackle from both directions,” said John Karabin, national director cybersecurity, NTT, who recommends both beginner-level security education for developers and supportive direction from management. “Leaders at every level have to insist on it culturally and procedurally.”
2: Stop trying to control DevOps (you’re an imposition)
“Listen and learn instead of demand and annoy,” advised Steve Zalewski, deputy CISO, Levi Strauss. “Security is about alignment, influence, and patience to get what you want. Learn the business of DevOps and become the trusted ally over time.”
“Your target is to support DevOps engineers in deploying secure applications and infrastructure without inserting an approval bottleneck that slows down releases,” said Keith McCartney (@kmflgator), CISO, Zenefits, who suggested that with any checks you’re doing (e.g., linters and CI checks) that you’re providing clear and actionable feedback for DevOps engineers.
David Spark @ CISOSeries