I spent a very rewarding couple of days at DevSecCon in Boston recently. The conference focused on DevSecOps, which is a catch-all phrase for addressing security concerns as early as possible in the product development lifecycle. In no particular order, here were a few of the takeaways that were swimming around in my head as I left Boston.
The latest tools are tightly integrated with developer workflows, allowing meaningful security analysis, identification, and remediation during initial code development. Throughout the development, testing, QA, and production pipeline, there are tools that mean that in production there can be a high degree of certainty that there are no OWASP Top-10 vulnerabilities present.
Containers are everywhere, and they are one of the enabling technologies that make both DevOps and DevSecOps possible, or at least make them easier and more fun to do. The ephemeral nature of containers, their implicit infrastructure-as-code paradigm and the continuing maturity of the technology all make containers one of those things that need to be in place for DevSecOps to work. (You also need automated tests, of course. You can read more on the importance and value of automated testing here and here).
Developing security champions within engineering teams provides a quick way of spreading tools and best practices quickly throughout an organization. In my experience, the Champion is between the security expert and the main team of engineers.
One comment made by the excellent Matt Jones during his presentation emphasized that security really needs to disappear into the background. This is exactly the approach that 3Pillar’s UX teams take when thinking about security. Matt’s example was spot on – using two-factor authentication with a code from an app on your phone is WAY too many steps. Why not use an SMS based solution? It’s simpler, quicker, and a much better overall experience. This will be even more true when iOS 12 is released. Your Apple device will recognize recent codes in iMessages and email and offer to autofill them for you.
I was very intrigued by what I learned about Contrast Security (www.contrastsecurity.com), a tool that provides automated detection and protection through in-code instrumentation. Contrast was recently listed as the only visionary in Gartner’s Magic Quadrant for Application Security Testing, and I could see why based on how simple it makes it to keep applications secure.
If you’re interested in learning more about what was shared at the conference, there are a number of presentations that were given at the event – seven to be exact – that are now available on Slideshare. You can view them here.