Security’s Case Against ‘Cloud-Native DevOps’ – InApps Technology 2022

Security’s Case Against ‘Cloud-Native DevOps’

Also available on Apple Podcasts, Google Podcasts, Overcast, PlayerFM, Pocket Casts, Spotify, Stitcher, TuneIn

The whole point of the movement-within-a-movement that Utsav Sanghani, senior product manager for desktop and AppDev security for code security platform provider Synopsys, calls “DevSecOps,” is to engage information security professionals in the task of automating enterprise processes. That engagement requires a shared understanding among all departments of the infrastructure with which applications and critical functions are being hosted.

That knowledge is cast to the wind, suggested Sanghani in an interview for InApps Technology Makers podcast, when an organization opts to host its applications on a cloud-native platform, and then attempt to leverage DevSecOps to secure it.

“Let’s assume that your production builds are happening in the cloud,” said Sanghani. “You’re working for a big financial institution. As part of your production builds, you’re running scans using market-leading tools like, let’s say, Synopsys’ Coverity. As part of that, if at any point something were to leak out that this application has a high-security CSRF issue with it, that’s going to be a PR nightmare for that big financial institution.

“However, if that situation were on-prem,” he continued, “they’d have better control over what information gets leaked out, what information stays within their premises.”

Choice of tools, asserted Sanghani, “helps define the maturity level of how DevOps is integrated into their processes. If somebody’s using a tool or a process that is very 1990s, very ‘waterfall-ish,’ we know that, okay, Agile for them is still new. They still have once-a-year releases; they’re not so keen on having a lot of control at the developer level; they do all their security assessments, their quality assessments after things are getting built.  So the choice of tools and processes is a great indicator.”

Perhaps a bit contra-indicative here is the fact that Jenkins is fairly ubiquitous as an automation tool. Whether an organization is using freestyle jobs or pipelined jobs with Jenkins, the fact that it’s there, Sanghani said, is an indicator that the organization is seeking to automate processes and reduce overhead. But it’s the very existence of Jenkins that also indicates that organizations want to automate processes using the infrastructure and resources they own, rather than on services they lease.

In this Edition:

2:18: The transition from dev to operations using administrative tooling.
4:16: If we’re creating a dependency on the tools and processes that are chosen, that too would have a fairly broad impact on the way the organization works, wouldn’t it?
12:02: What is the value to organizations when maintaining infrastructure on-premises versus in a public cloud?
14:15: How Synopsis adopts its core principles from an implementation standpoint.
20:17: Encountering resistance to “DevOps” as a definition.
22:15: Five years from now, will DevOps have become an antiquated term for what this philosophy will have evolved into?