Secure workloads without slowing down your devops flows – help net security electricity notes for class 10

############

Lamar: It’s definitely a hot topic here at RSA and lots of companies are looking into it, trying to figure out how to merge between the security teams and the development teams. The development gas station near me teams are definitely running ahead, trying to get things out to market and security teams are trying to make sure that everything they are pushing is secure and it’s going to the delivering processes. We’re seeing a lot of companies and services trying to bridge that gap, and make sure that those two teams can work together and be able to get their process and products out.

Lamar: I’d say the best way to get started is to go talk to the electricity omd developers and see what they’re planning. There’s a lot of open source DevOps tools that are out there, and we see a lot of developers going, grabbing those, working with those, playing with those, and I’m bringing those into the workplace and using them. A lot of times it becomes things that security teams don’t know about, IT doesn’t know about yet. But talk to them, see what they’re using and see how to bridge and make sure we can add security to those tools.

David: One of the things that I’ve seen myself talking to application developers is, how often security just wasn’t even in their considerations, as they astrid y gaston lima menu prices started to adopt more of these DevOps tools, especially as they were moving to the cloud. As you see customers adopting cloud infrastructure, what are some of the top security challenges they’d need to be thinking about?

Lamar: Definitely. On the containers, it’s kind of the next segment from virtual machines and for a period of time people thought “oh, it’s just a container, there’s no security 1 unit electricity price india issues with it”, which we find that’s not the case. Scanning those containers need to happen pre-production and during production. There are tools out there that you need to be looking at and looking at your containers before they move into production, make sure they are secure and check compliance.

Lamar: We’ve seen a lot of a lot of that actually, in some of the research. There’s a lot of free containers you can just go grab and start your work from there, but they’re not necessarily secure or they’re not configured correctly. So it’s like grabbing any open source, you’ve got to vet it. You’ve got to make c gastritis sure it’s what you need for your environment, make sure is secure and then build on top 3 gases that cause acid rain of it.

Lamar: Definitely, preproduction. We’re seeing a lot of tools now where it’s easier for the developers to scan their own containers and scan their own even serverless, to see what their security stance is before they start. As long as that’s easy, they’ll continue to do that, and they don’t mind doing that. There’s an easy way to fix them before they move into production, because they want to get their code into production, and they don’t want to have IT or SecDevOps say gas x side effects: “All right, well we didn’t do this. Let’s hold off a week or a month.” They’re more interested in getting their code out, so they’ll follow the processes. Having it done beforehand is huge. Looking at it after you push into production, that’s also always going to be required.

David: I remember the old way of doing security assessment which is someone makes a build, they put it into test, and they let security have at it for a couple of days, or they’ll spend a week doing their security assessment. Clearly, those approaches aren’t going to work anymore when people are trying to push code into production on an hourly basis. I think that’s the part that people are often missing around the DevOps cycle which is really all about agility and speed gas jet and the velocity that the developers are moving at. Any security solutions that we look at, absolutely have to be moving at the pace of DevOps. That means we have to rethink some of the traditional security controls, maybe even the idea of taking a few hours to do these assessments, really doesn’t work in this new world again, does it?

Lamar: Definitely not. We used to do Waterfall, and Agile killed that. Now DevOps is killing Agile. It’s just not fast enough and IT has got to be at that same pace. I think it’s imperative that you scan and grade 6 electricity experiments your security is throughout your whole process, and like you say it’s minutes, it’s not hours, it’s not days. Then you’ve got to have a way to revert, if something is wrong, and revert has to be almost instantaneous also.

Lamar: It’s integrations and automation mainly. Integration with different tools to check where you’re at in the process, check your pipeline. Once you get into production basically, it’s kind of the most effective way. Any change happens to production, then you just rollback. You don’t have to wait and gsa 2016 see what the change was, you can do the forensics on the back end. But if this container changes, for instance, roll it back, put in the known good go container and go forward. That should be completely automated and be in a matter of seconds, not even minutes, for that to happen.

David: Let’s talk about one other topic which is something I hear DevOps talk a lot about which is immutable. That design pattern that everything that we move to production won’t change at all types of electricity consumers anymore. All the changes will happen from the developer perspective. Have you heard people talk about or use immutability? How does that affect the security of these applications that are built with this immutable paradigm?

Lamar: It is. It comes up a lot, and electricity in salt water experiment I think the theory is pretty good. But there’s also the gap of, once this is moved into production, even though the developer did the changes, IT made, and what changes happened. Should that particular device be doing something different now than it did before? You go back and ask the developer what was the change control, and the developer tells you: “Oh, that’s in GitHub or in my code control system to tell you what all my changes were.” There’s a gap there that’s happening, so they’re not as immutable as they think they are.

David: The other thing people gsa 2016 new orleans also need to keep in mind is the idea that, even if the container or the immutable object itself doesn’t change, the threat environment is always changing. So, a system that might not have been vulnerable when we first scanned it a couple days ago, actually maybe a new vulnerability came out and is vulnerable today.

Lamar: Absolutely. Continuous scanning of these devices is required, these assets. You can’t scan like we used shell gas credit card 5 to. Companies will scan their assets once a week, once a quarter, once a month. That’s not valid anymore. Our landscape changes so fast. We’re looking at DevOps switched the code and the products are changing so fast, we almost need to be in a complete continuous security assessment.

Lamar: It’s happening all across the environments. It’s interesting because it’s not the same teams. What you’ll see in large enterprises is, maybe there’s multiple teams that are doing this, and some are doing it in cloud, some are doing it on-prem, and they don’t even use the same tool sets. There’s not as much standardization across here either, which electricity estimated bills is also an issue from an IT’s standpoint of trying to make sure everything’s secure.