My takeaways from AppSec EU 2017

Had an excellent couple of days immersing myself in the AppSec conference meeting lots of different people from different backgrounds all with one thing in common, a desire to learn more about security.

To find out a bit more about the conference and speakers head on over to https://2017.appsec.eu/.

A bit about me before I ramble on, my background is infrastructure, I moved away from the more traditional infrastructure role to Web Operations (WebOps) where the goal was all about automating the delivery of infrastructure.

I’m now CIO at Kainos and I have a natural curiosity around security so the conference seemed a great way to brush up on the latest and greatest stuff out there in the security space.

At Kainos we have embraced DevOps and what it means to truly live and breath DevOps as a culture.

As Gene Kim said “DevOps transcends the technology stack we are working with.”

Although the word DevSecOps has been floating about for years it really was at the forefront of the conference and was a theme throughout, which kinda got me wondering….

‘Why does DevSecOps need to exist as a term?’

Given DevOps has at it’s core the key aspect of a multi-disciplinary team working together spanning Development, Project Management, WebOps, Security, the list goes on…..’

What seems to be clear from everyone I spoke to and I am not generalising an industry is that Security is moving through the same journey infrastructure did a few years ago where infrastructure people started to learn infrastructure as code and became part of the software development lifecycle much earlier. DevOps came along at this time too and acted as an incubator for accelerating this evolution for WebOps people.

DevOps has done great stuff but Security still seemed to be getting left out and in many cases and happening after the fact, kinda DevOps + Security instead of being embedded as DevSecOps. Anyhow I could go on about naming of things, but what is clear is that names are important and people respond in different ways, that said it’s more important what you do than how you name it.

Regardless of the why DevSecOps exists I can’t emphasis how important a step this is for us as an industry, words can’t articulate the importance of embedding security in our internet connected world.

Coupled with the realisation that Security is super important is the maturing of how Security as a discipline fits into business. Again generalising as I know this is not alway the case but Security was often seen as a blocker to delivery and had a fairly adversarial relationship with the business and delivery teams, what is now clear though is Security is moving from Gatekeeper to Guardian, the distinction is subtle but important.

Instead of acting as a gatekeeper to say ‘yes’ or more often ‘no’ to delivery teams Security experts are getting involved really early in the development lifecycle to play a key role alongside their colleagues to build secure services by default, getting involved early is a much more productive way of engaging in the same way that Development and Web Operations have been collaborating much more closely over the last few years.

The change of engagement is great for team morale too, people collaborating creates a much more harmonious relationship, whereas in the past a day or two before going into live operation a pen test would come back from the Security team and say ‘This can’t go live until these 50 defects are fixed and to be honest some bits you’d be better off going back to the drawing board’.

Coupled with the changes of engagement is the maturing of security tools that work hand and hand with automation to accelerate and slipstream feedback to the delivery teams, the ability to automate both functional and non-functional testing (including security) supports the business to deliver functional, robust, performant and secure services to their end users.

To flourish and truly succeed Security must find that delicate balance of protecting but not impeding business.

If you take anything from my ramblings please take this.

Engage with your security people, embed them within your multi-disciplined teams and bake security controls into your journey to live service that move at the pace your business needs.

I know it’s easy to make statements like this and much harder to achieve but we are now in a place supported by people and technology to accept this as an industry as our default way of working.