This blog was co-authored by myself and Simon Darken. Once a year, PagerDuty’s SREs get together for a three-day, in-person offsite. With the team spread...by Dave Bresci
December 5, 2018
As a long-time security professional, I’m always interested to hear about how companies like Datadog are keeping up with the changing security landscape. I can recall when the security organization was solely responsible for security, and we were focused on protecting the perimeter of our business. However, with the advent of the cloud, mobile, and web applications, that perimeter has disappeared. Along with that, organizations are realizing security should be a shared responsibility and integrated within their development and operations teams.
Let’s face it: Attacks on web applications have become a menace, and the volume of data breaches caused by them is rapidly rising each year. Rogue actors are taking advantage of weaknesses in our infrastructure, software, and processes. How do we strike back against this? Enter a new hope: DevSecOps!
As you can tell, I’ve been a Star Wars fanatic since I was a child. I’m always excited when a new film debuts in this storied franchise, and the latest movie has made me reflect on some of the lessons a galaxy far, far away has taught me in relation to DevSecOps.
I interpret this wise Jedi Master saying to mean that some of the knowledge you “know to be true” may not be true anymore—and when it comes to DevSecOps, it could be blocking your ability to successfully transform. By using outdated tools and processes, security teams may be slowing things down. Security needs to adjust as part of changing the security mindset within an organization, and learn how newer tools and processes can help them be better partners. Datadog, a monitoring service for cloud applications, is one company that realized it needed to update its tools and processes. Its security team learned from the development organization and began to use PagerDuty for their alerting and response. As a member of the PagerDuty Security team, I can also attest that we eat our own dog food and use our platform as part of our security operations. But why?
At PagerDuty, we follow a model of being reactive and responsive. For instance, how quickly can we identify that a security event is occurring or that a resource is out of compliance, and how quickly can we respond and remediate the issue? Part of DevSecOps is automated security decisions being made with speed at scale. It may not be as fast as the Millennium Falcon’s jump to lightspeed, but being able to respond quickly can lead to potential cost savings and a reduction in risk. Speed is a factor!
We all wish that we could say that every release is 100 percent secure and that we all had 100 percent uptime, but that’s not a reality. Reality is that breaches will happen, and how quickly you can react can affect the bottom line. The 2017 Ponemon Cost of Data Breach Study showed that having an incident response team can reduce the cost of a breach by up to $19 per record. So it makes sense that getting the right people alerted and involved quickly is critical.
At PagerDuty, we operate a multi-tenant software-as-a-service platform in the cloud, and use many different tools to monitor and protect our infrastructure. These tools produce a lot of signals that we can mine and filter, and through integrations with the PagerDuty platform, we are able to create relevant security events and alerts. This ensures that we can quickly act on an event and start our incident response process to quickly contain it, respond, and recover.
This is not only true for security incidents. In an environment where developers own their code, we are also able to quickly determine when resources within our cloud infrastructure are out of compliance or pose a security risk. We can quickly react and work with the developer to correct the issue while providing fast feedback on best security practices to improve the process going forward.
Implementing a DevSecOps approach may seem like a daunting task—and one that’s filled with many challenges to be successful (like changing the security mindset within your organization). That in itself may seem like it would take a Jedi mind trick to pull off. But you must commit to the process, then learn from your mistakes and learn from others that have done it. Like DevOps, DevSecOps should be an iterative learning and improvement process. DevSecOps is also about choosing the right tools to automate your security processes to provide quick feedback, and utilizing PagerDuty can assist in that transformation.
Want to learn more about how you can successfully implement DevSecOps at your organization? Check out the Datadog case study.