The Gospel of DevSecOps: Partnering to Love Thy Customer
Disclaimer: This post is not meant as a religious statement, but merely an analogy to illustrate how DevSecOps has impacted engineering culture, both internally at PagerDuty, as well as more broadly among our 10,000+ customers.
Raise your hand if you’re a believer in DevOps—thank you, I see that hand. As a former organizer of devopsdays Toronto (2014 – 2016), you could say that I drank the Kool-Aid early on. But thanks to the outstanding research of the DevOps Research Association (DORA) and numerous State of DevOps reports before it, DevOps culture is much less of a religious battle than it has been in the past.
Some squabbles remain, such as an overemphasis on deployment automation and a lack of transformation in service ownership, but by and large, talking to developers and operations engineers about DevOps nowadays is like preaching to the choir. They have refocused on customer outcomes, and as a result, they’re able to respond to customer needs and deploy changes quicker than ever before. Or rather, they should be able to … if it weren’t for the gatekeepers, aka the team of “no,” aka the security team.I don’t mean to demonize security teams at all—they have a singular, daunting goal (“Thou shalt not be pwned”) and a whole lot stacked against them. AWS growth alone shows a staggering rate of cloud adoption, bringing with it a larger attack surface area, different security assumptions, and numerous cybersecurity threats. Teams are flocking there because of the ability to automate and self-service, which helps them meet customer demands requiring a rapid pace of change and, often, real-time response.
Like operations teams before them, security teams have traditionally been resistant to change. Change introduces failure and risk. However, in order to move the business forward, change is necessary. But in order to ensure that changes were acceptable in terms of risk, endless checklists and rules were introduced: “Thou shalt NOT parse user input without checking injection attacks,” “Thou shalt NOT make HTTP calls without SSL,” “Thou shalt NOT release a new service without a penetration test,” “Thou shalt NOT take a dependency on open-source libraries,” and so on.
I liken these to the Ten Commandments in the Bible’s Old Testament. There’s nothing wrong with having guidelines, but the spirit of the law is often lost and eventually people find new ways to obey the law while missing the point. Said differently, developers will find ways around your gates if it prevents them from serving customers. But shouldn’t security allow us to better serve our customers?
So does that mean we throw out the checklists and let chaos reign? Certainly not! Christianity teaches that Jesus came not to abolish the law but to fulfill it. Similarly, the good news of DevSecOps (“gospel” simply means “good news”) is that there is hope if we have a singular, company-wide focus on loving thy customer. It means that security teams and developers have a shared view and a shared language for evaluating risk vs. value. It means security teams are engaging developers earlier with critical security issues while developers are in the flow so the feedback loop is tight. And, ultimately, it means sharing security accountability.
The Union of PagerDuty and DevSecOps
How do we make you successful with a DevSecOps culture? For PagerDuty, it means uniting with our partners. In addition to rolling out our improved Amazon GuardDuty integration, security partners like Sumo Logic, Dome9, Threat Stack, and Twistlock are helping us to build on our ecosystem of 300+ integrations.
Sumo Logic helps you monitor key security metrics and indicators of compromise (IOCs) in real time, pushing actionable alerts to PagerDuty to drive real-time human response. In addition, the combination Sumo Logic’s massive amounts of security log data and PagerDuty’s rich monitoring data gives you the context you need to reduce incident investigation times and simplify compliance management.
Dome9 allows security and compliance to be incorporated early and often into the software development and deployment lifecycle, using PagerDuty to triage and drive the appropriate resolution, whether it’s an urgent fix before it reaches production or a defect to be addressed later. With Dome9 and PagerDuty, you can engage developers more effectively and proactively in order to fix compliance issues faster and maintain security hygiene.
Threat Stack provides a cloud security platform to quickly detect non-secure behaviors of systems and users, and leverages PagerDuty to close the feedback loop by taking action on security events before they become catastrophic. Taking ownership of your operations means that security can’t be left out, which is why platforms like Threat Stack and PagerDuty work so well together to distribute security accountability.
Twistlock enables container security for cloud platforms to monitor for vulnerabilities and engage developers using PagerDuty before those vulnerabilities are exploited. It also provides runtime defense for hosts, containers, and functions by actively monitoring for threats and sending those signals to PagerDuty for immediate action.
With our partners, we want to see organizations embrace DevSecOps so that you can continue to better serve your customers. Moving faster doesn’t mean you need to leave security behind—it all starts by reaching across the table and finding that common ground to rally around. Toss out the rules (the “how”) and find the higher purpose (the “why”). Amen.
Come Talk to Us at re:Invent
As an Advanced Partner in the AWS Partner Network with the DevOps Competency, PagerDuty is pleased to join AWS at re:Invent to share these exciting new integrations with our shared customers. If you’re in Las Vegas this week, come see us at Booth 1023.