DevOps could be security's biggest boon for quickly mitigating the kinds of vulnerabilities that will be highlighted next week at Black Hat USA in Las Vegas. And in a departure from the show's typical doom-and-gloom demos of scary attacks and exploits, one speaker is taking the podium to explain the practicalities of tuning application security practices to DevOps speeds so organizations can finally get the jump on zero-days and other hard problems in vulnerability management.
The rundown will come from Etsy's former head of security engineering, Zane Lackey, who will explain that the goal is to get faster than the attackers in identifying and fixing security flaws in software. He'll talk about the online retailer's transition from Waterfall development to continuous integration/continuous delivery methodologies. He plans to explain what that kind of evolution means for the standard approach for Web application security, especially when it comes to static analysis and dynamic testing.
"What it really means for vulnerability scanning is that the tools need to change," says Lackey, who since Etsy has moved on to the vendor side of the world, co-founding Signal Sciences. "It's a real evolution with a focus on speed and consumability of results by non-security experts. The real lesson learned on that side is that modern approaches to security tooling and techniques have to be about empowering the development team and the DevOps team to have visibility and that they’re seeing results directly themselves."
During his time at Etsy (2011-2014), the firm was establishing itself as a front-runner and thought leader in DevOps operational patterns while at the same time dealing with the increasing risk and compliance concerns that come with the territory of a rapidly expanding retail business. In order to fit security into the Etsy paradigm, Lackey says he and his team had to learn that they were no longer outsourced gatekeepers, but instead more like consultants to help the developers both run tests and use them to guide future actions for fixing flaws.
While the fast pace initially spooked him, what he found was that once the kinks were worked out it actually ended up improving appsec dramatically.
"When I started as head of security at Etsy and they said 'We deploy to production 20 times a day,' I thought it was crazy and I thought that would be dramatically less secure," he says. "What I really learned over the course of my time building a security program there was that moving faster can actually be a net positive on security."
His observations seem to be reflected in recent statistics. In fact, a survey released earlier this week found that the integration of security into DevOps has helped companies improve their application security risk by approximately 22%.
Lackey will provide some real-world examples of what that kind of quantitative improvement looks like in the real world. He'll talk through one example where his team was able to move so quickly that the improved visibility and response time made it possible for his team to identify an adversary discovering a real-life vulnerability in production - and were able to fix it before the adversary could do anything with it.
"Any organization can get to this point. By embracing DevOps they’re able to move faster and for the first time potentially move faster than the attackers," he says.