1. DevOps and Security, a Match Made in Heaven
Transcript of a Briefings Direct discussion on the relationship between DevOps and security and
exploring the impact of security on compliance, risk, and auditing.
Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android.
Sponsor: HP Enterprise
Dana Gardner: Hello, and welcome to the next edition of the HP Discover Podcast Series. I'm
Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this
ongoing sponsored discussion on IT innovation and how it’s making an impact on
people’s lives.
Our next DevOps thought leadership discussion explores the impact on security
and how those investing in DevOps models can expect to improve their security,
compliance, and risk-mitigation efforts. To help us better understand the
relationship between DevOps and security, we're joined by two panelists.
Please join me welcoming Gene Kim, DevOps researcher and author focused on
IT operations, information security and transformation. His most recent book is 'The Phoenix
Project: A Novel about IT, DevOps, and Helping Your Business Win', and his new book coming
out soon is called 'The DevOps Cookbook'. Welcome, Gene.
Learn the Four Keys
to Continuous DevOps
Gene Kim: Dana, great to be here. Thank you.
Gardner: We're also here with Ashish Kuthiala, Senior Director of Marketing and Strategy for
HP DevOps. Welcome back, Ashish.
Ashish Kuthiala: Thank you very much Dana. Glad to be here.
Gardner: Ashish, let me start with you. Coordinating and fostering increased collaboration
between development, the testers, and IT operations has a lot of benefits. We've been talking
about that in a number of these discussions, but security specifically. How is
DevOps engendering a safer code and an ability to work towards an iterative,
continuous approach to improved security?
Kuthiala: Dana, I look at security as no different than any other testing that you
do on your code. Anything that you catch early on in the process, fix it, and close
the vulnerabilities is much simpler, much easier, and much cheaper to fix than when the end
product is in the hands of the users.
At that point, it could be in the hands of thousands of users, deployed in thousands of
environments, and it's really very expensive. Even if you want to fix it there, if some trouble
Page 1
Gardner

2. happens, there is security breach, you're not just dealing with the code vulnerability but you are
also dealing with loss of brand, loss of revenue, and loss of reputation in the marketplace.
Gene has done a lot of study on security and DevOps. I would love to hear his point of view on
that.
Promise is phenomenal
Kim: You're so right. The promise of DevOps for advancing the information security objective
is phenomenal, but unfortunately, the way most information security practitioners react to
DevOps is one of moral outrage and fear. The fear being verbalized is that Dev
and Ops are deploying more quickly than ever, and the outcomes haven't been
so great. You're doing one release a year, what will happen if they are doing 10
deploys a day.
We can understand why they might be just terrified of this. Yet, what Ashish
described is that DevOps represents the ideal integration of testing into the the
daily work of Dev and Ops. We have testing happening all the time.
Developers own the responsibilities of building and running the test. It’s happening after every
code commit, and these are exactly same sort of behaviors and cultural norms that we want in
information security. After all, security is just another aspect of quality.
We're seeing many, many examples of how organizations are creating what some people calling
DevOps(Sec), DevOps plus security. One of my favorite examples is Capital One. which calls
DevOps in their organization DevOps(Sec). Basically, information security is being integrated
into every stage of the software development lifecycle. This is actually what every information
security practitioner has wanted for the last two decades.
Gardner: Ashish.
Kuthiala: Gene, that brings up an interesting thought. As we look at Dev and
Ops teams coming together without security, increasingly we talk about how
people need to have generally more skills across the spectrum. Developers need
to understand production systems and to be able to support their code in
production. But what you just described, does that mean that’s how the
developers and planners start to become security specialist or think like that?
What have you seen?
Kim: Let's talk about the numbers for a second. I love this ratio of 100 to 10 to 1. For every 100
developers, we have 10 operations people and you have one security person. So there's no way
you're going to get the adequate coverage, right? There are not enough security people around. If
we can't embed Ops people into these project or service teams, then we have to train developers
to care and know when seek help from the Ops experts.
Page 2
Kim
Kuthiala

3. We have the similar challenge in information security -- how we train, whether it's about secure
coding, regular compliance, or how we create evidence that controls exist and are effective. It is
not going to be security doing the work. Instead, security needs to be training Dev and Ops on
how to do things securely.
Kuthiala: Are there patterns that they should be looking at in security? Are there any known
patterns out there or are there some being developed? What you have seen with the customers
that you work with?
Kim: In the deployment pipeline, instead of having just unit tests being run after every code
commit, you actually run static code analysis tools. That way you know that it's functionally
correct, and the developers are getting fast feedback and then they’re writing things that are
potentially more secure than they would have otherwise.
And then alongside that in production, there are the monitoring tools. You're running things like
the dynamic security testing. Now, you can actually see how it’s behaving in the production
environment. In my mind, that's the ideal embodiment of how information security work should
be integrated into the daily work of dev, test, and operations.
Seems contradictory
Kuthiala: It seems a little contradictory in nature. I know DevOps is all about going a little
faster, but actually, you’re adding more functionality right up front and slowing this down. Is it a
classic case of going slower to go faster? Walk before you can run, until you get to crawl? From
my point of view, it slows you down here, but towards the end, you speed up more. Are you able
to do this?
Kim: I would claim the opposite. We're getting the best of all worlds, because the security
testing is now automated. It’s being done on demand by the developers, as opposed to your
opening a ticket, "Gene, can you scan my application?" And I'll get back to you in about six
weeks.
That’s being done automatically as part of my daily work. My claim would be not only is it
faster, but we'll get better coverage than we had before. The fearful info sector person would ask
how we can do this for highly regulated environments, where there is a lot of compliance
regimes in place.
If you were to count the number of controls that are continuously operating, not only do you
have orders and managing more controls, but they are actually operating all the time as opposed
to testing once a year.
Kuthiala: From what I've observed with my customers, I have two kind of separate questions
here. First, if you look at some of the highly regulated industries, for example, the
pharmaceutical industry, it's not just internal compliances and regulations. It's part of security,
Page 3

4. but they often have to go to the outside agencies for almost physical paperwork kind of
regulatory compliance checks.
As they're trying to go towards DevOps and speed this up, they are saying, "How do we handle
that portion of the compliance checks and the security checks, because they are manual checks.
They're not automated. How do we deal with external agencies and incorporate this in. What
have you seen work really well?
Kim: Last year, at the DevOps Enterprise Summit, we had one bank, and it was a smaller bank.
This year, we have five including some of the most well-known banks in the industry. We had
manufacturing. I think we had covereage of almost every major industry vertical, the majority of
which are heavily regulated. They are all able to demonstrate that not only can you be compliant
with all the relevant laws, contractual obligations, and regulations, but you can significantly
decrease the amount of work.
One of my favorite examples came from Salesforce. Selling to the Federal government, they had
to apply with FedRAMP. One of the things that they got agreement on from security, compliance
groups, and change management was that all infrastructure changes made through the
automation tools could be considered a standard change.
In other words, they wouldn’t require review and approval, but all changes that were done
manually would still require approvals, which would often take weeks. This really shows that we
can create this fast path not just for the people doing the work, but also, this make some work
significantly easier for security and compliance as well.
Human error
Kuthiala: And you're taking on the human error possibility in there. People can be on
vacation, slowing things down. People can be sick. People may not be in their jobs anymore.
Automation is a key answer to this, as you said.
Gardner: One of things we've been grappling with in the industry is how to get DevOps
accelerated into cultures and organizations. What about the security as a point on the arrow here?
If we see and recognize that security can benefit from DevOps and we want to instantiate
DevOps models faster, wouldn’t the security people be a good place to be on the evangelistic
side of DevOps?
Kim: That’s a great observation, Dana. In fact, I think part of the method behind the madness is
that the goal of the DevOps Enterprise Summit was to prove points. We had 50 speakers all from
large, complex organizations. The goal was to get coverage of the industry verticals.
Learn the Four Keys
to Continuous DevOps
I also helped co-host a one-day DevOps Security Conference at the RSA Conference, and this
was very much from a security perspective. It was amazing to find those champions in the
Page 4

5. security community who are driving DevOps objectives. They have to figure out how security
fits into the DevOps ecosystem, because we need them to show that the water is not only just
safe, but the water is great.
Kuthiala: This brings up a question, Gene. For any new project that kicks off, it’s a new
company. You can really define the architecture from scratch, thus enabling you a lot of practices
you need to put in place, whether it's independent deliverables and faster deliverables, all acting
independent of each other.
But for the bigger companies and enterprise software that’s being released -- we've discussed this
in our past talks -- you need to look at the architecture underneath it and see how we can
modernize this to do this.
So, when you start to address security, how do you go about approaching that, because you know
you're dealing with a large base of code that’s very monolithic? It can take thousands of people
to release something out to the customers. Now, you're trying to incorporate security into this
with any new features and functions you add.
I can see how you can start to incorporate security and the expertise into it and scan it right from
development cycle. How do you deal with that big component of the architecture that’s already
there? Any best practices?
Kim: One of the people who have best articulated the philosophy is Gary Gruver. He said
something that, for me, was very memorable. If you don’t have automated testing, and I think his
context was very much like unit testing, automated regression testing, you have a fundamentally
broken cost model, and it becomes too expensive. You get to a point where it becomes too
expensive to add features.
That’s not even counting security testing. You get to a point where not only it is too expensive,
but it becomes too risky to change code. So, just as marketing is too important to leave to the
marketing people, and quality is too important to leave to the QA people -- so too security is too
important to leave just to the security people.
We have to fully empower developers to get feedback on their work and have them fully
responsible for not just the features, but the non-functional requirements, testability,
deployability, manageability, and security.
A better way
Gardner: Assume that those listening and reading here today are completely swayed by our
view of things and they do want to have DevOps with security ingrained. Are there not also
concurrent developments around big data and analytics that give them a better way to do this,
once they've decided to do it.
Page 5

6. It seems to me that there is an awful lot of data available within systems, whether it's log files,
configuration databases. Starting to harness that affordably, and then applying that back to those
automation capabilities is going to be a very powerful synergistic value. How does it work when
we apply big data to DevOps and security, Ashish?
Kuthiala: Good question Dana. You're absolutely right with data sources now becoming easy,
bringing together data sources into one repository and at an affordable cost. We're starting to
build analytics on top of that and this has being applied in a number of areas.
The best example I can talk about is how HP has been working on an IP creation of the area of
testing using big data analytics. So, if we have to go faster and we have to release software every
hour or every two, versus every six to eight months, you need to test it as fast as well. You can no
longer afford to go and run your 20,000 tests based on this one-line change of code.
You have to be able to figure out what modules are affected, which ones are not, and which ones
are likely to break. We're starting to do some intelligent testing inside of our labs and we're
finding that we're about 80 to 85 percent accurate in predicting what to test and not to test and
what features are reflected or not.
Similarly, using the big data analytics and the security expertise that Gene talked about, you need
to start digging through and analyzing exactly the same as we run any test. What security
vulnerabilities do you want to test, which functions of the code? And it’s just a best practice
moving forward that you start to incorporate the big data analytics into your security testing.
Gardner: Gene.
Kim: You were implying something that I just want to make explicit. One of the most
provocative notions that Ashish and I talked about was to think about all the telemetry and all the
data that the build mechanisms create. You start putting in all the results of testing, and suddenly
we have a much better basis of where we apply our testing effort.
If we actually need to deploy faster, even if we completely automate our tests, and even if we
parallelize them and run them across thousands of servers and if that takes days, we may be able
use data to tell us where to surgically apply testing so we make a informed decision on whether
to deploy or not. That's an awesome potential.
Gardner: Speaking of awesome potentials, when we compress the feedback loops using this
data, when development and operations are collaborating and communicating very well, it seems
to me that we're also moving from a reactive stance to security issues, closer to a proactive stance
with certainly as little time as possible.
One of the notions about security is that you can’t prevent people from getting in, but you can
limit the damage they can do when they do get in. It seems to me that if you close a loop between
development operations and test, you can get the right remediation out into operations and
production much quicker. Therefore you can almost behave like we had seen with anti-malware
Page 6

7. software, where the cycle between the inception of a problem, the creation of the patch, and then
deployment of the patch was very, very short.
Is that vision pie in the sky or is that something we could get to when DevOps and security
comes together, Gene?
Key to prevention
Kim: You're right on. The way an auditor would talk about it is that there are things that we
can do to prevent, that’s code review, that’s automated code testing and scanning.
Making libraries available so that developers are choosing things and deploying them in a
secured state are all preventive controls. If we can make sure that we have the best situational
awareness we can of the production environment, those are what allow quicker detection
recovery.
The better we are at that, the better we are at mitigating, effectively mitigating risk.
Kuthiala: Gene, as you were talking, I was thinking. We have this notion of rolling back code
when something breaks in production, and that’s a very common kind of procedure. You go back
into the lab, fix what didn’t work, and then you roll it back into production. If it works, it's fine.
Otherwise, you roll it back and do it over again.
But with the admin of DevOps and those who are doing this successfully, there are no roll backs.
They roll forward. You just go forward, because with the discipline of DevOps, if done well, you
can quickly put a patch into production within hours, versus months, days, and weeks.
And similarly like you talked about security, you know once a vulnerability is out there that you
want to go fix it, you want to issue the patch. With DevOps and security, there are lot of
similarities.
Gardner: Before we close out, is there anything for the future? We've heard a lot about the
Internet of Things (IoT), a lot more devices, device types, networks, extended networks, and
variable networks. Is there a benefit with DevOps and security as a tag team, as we look to an
increased era of complexity around the IoT sensors and plethora of disparate networks? Ashish?
Kuthiala: The more you talk about IoT, the more holes are open for hackers to get in. I'll give
you classic example. I've been looking forward to the day where my phone is all I carry. I don’t
have to open my car with my keys or I can pay for things with it, and we have been getting
towards that vision, but a lot of my friends who are in high-tech are actually skeptical.
What happens if you lose your phone? Somebody has access to it. You know their counter
argument against that. You can switch off your phone and wipe the data etc. But I think as IoT
Page 7

8. grows in number, more holes open up. So, it becomes even more important to incorporate your
security planning cycles right into the planning and dev cycles.
Gardner: Particularly if you're in an industry where you expect to an have an Internet of Things
ramp up getting automation in place, thinking about DevOps, thinking about security as an
integral part of DevOps certainly makes a great deal of sense to me. Gene.
Kim: Absolutely, you said it better than I ever could. Yes.
Gardner: We'll have to leave it there. We've been discussing the relationship between DevOps
and security and exploring the impact of security on things like compliance and risk and auditing
and I would like to thank our guest for very intriguing discussion.
We've been here with Gene Kim, DevOps Researcher and Author focused on IT operations,
information security and transformation. His most recent book is 'The Phoenix Project: A Novel
about IT, DevOps, and Helping Your Business Win', and his new book coming out soon is called
'The DevOps Cookbook'. Thanks so much, Gene.
Learn the Four Keys
to Continuous DevOps
Kim: Thank you so much.
Gardner: And we have been here with Ashish Kuthiala, Senior Director of Marketing and
Strategy for HP DevOps. Thank you, Ashish.
Kuthiala: Thank you very much, Dana.
Gardner: And I'd like to extend a big thank you to our audience as well for joining for this
DevOps and security discussion.
I'm Dana Gardner, principal analyst at Interarbor Solutions, your host for this ongoing series of
HP sponsored discussions. Thanks again for listening and come back next time.
Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android.
Sponsor: HP Enterprise
Transcript of a Briefings Direct discussion on the relationship between DevOps and security and
exploring the impact of security on compliance, risk, and auditing. Copyright Interarbor
Solutions, LLC, 2005-2015. All rights reserved.
You may also be interested in:
• Redcentric Uses Advanced Configuration Database to Focus Massive Merger Across
Multiple Networks
• HP at Discover delivers the industry's first open, hybrid, ecosystem-wide cloud
architecture
Page 8

9. • How Tableau Software and Big Data Come Together: Strong Visualization Embedded on
an Agile Analytics Engine
• Big Data Helps Conservation International Proactively Respond to Species Threat in
Tropical Forests
• How Globe Testing helps startups make the leap to cloud- and mobile-first development
• GoodData analytics developers on what they look for in a big data platform
• ITIL-ITSM tagteam boosts Mexican ISP INFOTEC's operations quality
• Novel consumer retail behavior analysis from InfoScout relies on HP Vertica big data
chops
• IT Operations Modernization Helps Energy Powerhouse Exelon Acquire Businesses
• ECommerce portal Avito uses big data to master rapid fraud detection
• How a Hackathon Approach Juices Innovation on Big Data Applications for Thomson
Reuters
• How Waste Management Builds a Powerful Services Contiunuum Across Operations,
Infrastructure, Development, and IT Processes
• GSN Games hits top prize using big data to uncover deep insights into gamer preferences
Page 9