Who’s in Charge of Automated Security? – InApps 2022

Lori MacVittie of F5 Networks: Who’s in Charge of Automated Security?

Also available on Apple Podcasts, Google Podcasts, Overcast, PlayerFM, Pocket Casts, Spotify, Stitcher, TuneIn

In physics, you can’t have two proportionately sized perfectly-opposing vectors of force for very long without them canceling each other out. In marketing, cancellation only takes place after several long, grueling meetings. At this site, we’ve spoken at length about how serverless architectures free the developer from having to pay attention to IT operations, and also how serverless brings operators and developers closer together.

You’d think we can’t have this both ways. Even aside from that, the merger of two things and their separation from one another certainly can’t both be considered “freedom.” Right?

Actually, F5 Networks’ principal technical evangelist Lori MacVittie may have come up with that elusive matter/anti-matter intermix formula (and she didn’t have to catch the disease from Spock or Sulu to do it). Last July, in a post on her company blog, MacVittie found herself reasoning this way: If serverless architectures end up making all IT platforms seem more or less homogeneous from the developer’s perspective, then it might actually be easier for developers to address operators’ concerns — and those of security engineers as well.

“No data center runs on a heterogeneous infrastructure,” MacVittie wrote, “and even within the subset of a single vendor, organizations run multiple models and versions of hardware and software alike.”

So if we can get operators and developers together on the same page (perhaps someone should come up with an acronym for this), then shouldn’t it be feasible that we get security professionals to join in?

“I don’t think there’s a day that goes by where there isn’t some new feature, or concept, or way to do x, y, or z,” MacVittie told us for this latest edition of InApps Makers podcast. “It’s Legos as it was meant to be:  ‘Here’s a box, build whatever you like!’ That’s great, especially in the early days of a technology… One of the things that has to happen is, this needs some time to mature before we can get the security folks to say, ‘This is how this is working, and this is what we need to do.’”

In This Edition

4:14: “Generally speaking, it’s the CISO’s responsibility to certify and determine worthiness with respect to security.”
8:06: Serverless architecture has the virtue of defining the entry point into the system.
10:00: Testing the notion of separating the “management network” from the one the end user sees.
15:34: “The whole paradigm is shifting from imperative to declarative.”
20:42: It might help if Kubernetes’ and others’ configuration files could be more easily and generally parsed.
25:44: To whom should container-related security events get reported?