Sergey Nivens - Fotolia
It seems silly to ask why security for DevOps is so important at an event like DevSecCon. A quick survey of the 200 or so attendees revealed a room dominated by security professionals.
Still, that's what Caroline Wong, VP of security strategy at Cobalt, did in her session, appropriately titled "Why does Security Matter to DevOps?"
- It's too easy to ship bad code, so then bad things happen.
- It's cheapest and easiest to fix security issues sooner rather than later.
- Building security into the code sets the mindset of writing quality code (security = quality!).
- Traditional security doesn't work when moving at DevOps speeds.
All sound compelling. But none hit exactly on why security for DevOps is so important, at least according to Wong. To get the answer, one must look at TechBeacon's 10 companies "killing it at DevOps." The list predictably includes unicorns like Facebook, Netflix, Etsy and Amazon, but even old-guard types like Walmart, Adobe, Target, Nordstrom, Sony and Fidelity.
A quick Google search of the companies shows customer-facing security pages for most, stressing a culture of trust and security front and center. Security is a business imperative. It's also no coincidence that most of those companies have been victim to very high-profile hacks in recent years.
Security matters because security affects the bottom line. It's about sales, support and acquisition. Hack and security breaches lead to negative press, and customers need to know their information is safe with you, if they're to be customers at all.
"Let's think about that for a second. The only reason companies care about bad press is because they don't want bad press to affect sales or a potential acquisition," Wong claimed. Verizon nabbed a slick $350 million discount in the Yahoo merger following the former's cyberattacks. So again, security matters because it affects the bottom line.
Security matters because of compliance. Again, this is a business decision for many companies, where the cost of compliance is weighed against its potential risk, though Wong was quick to point out that for many others, compliance is important so their CISO (chief information security officer) can sleep at night.
"At the end of the day, it's all about sales, survival and business," Wong concluded.
More code equals more problems
Security for DevOps is also important because all companies are software companies. Take another look at that top 10 list. Walmart, Target and Nordstrom are traditional brick-and-mortar retailers, and Fidelity is an investment firm.
Kevin GreeneU.S. Department of Homeland Security
Even more traditional manufacturers are software companies. In his DevSecCon keynote, Kevin Greene, software assurance program manager for the U.S. Department of Homeland Security, stated a new car has more than 100 million lines of code. That shouldn't come as a surprise to those following Tesla, which recently instituted a hardware fix with a software update.
And this leaves plenty of vulnerabilities. "More code equals more problems," Greene warned, imagining the horror of a pacemaker ransomware attack. "Secure coding is the first line of defense in software development," he added.
That's a more visceral than just bad press. It's ultimately why security for DevOps is important, and it's why we should listen to Greene when he says, "Always, I mean always, think DevSecOps."