Building Security into DevOps: A Slack Takeover with Larry Maccherone
Thought leaders throughout the software community are taking over the TechWell Hub for a day to introduce themselves, answer questions, and engage in conversations.
Larry Maccherone is the senior director driving the DevSecOps transformation at Comcast. He speaks and writes about security and how to incorporate it into DevOps, and he teaches hands-on tutorials about making lean, agile, data-driving decisions.
@Larry Maccherone presided over our most recent Slack takeover, which led to some insightful discussions.
Defining DevSecOps
Maccherone started with defining DevSecOps as empowered engineering teams taking ownership of how their product behaves all the way to production, including security. The key, he noted, is "taking ownership."
However, Maccherone pointed out that he has the same definition for DevOps. “I have a love-hate relationship with the term DevSecOps,” he said. “In general, I believe if you are doing DevOps correctly, you are doing the ‘Sec’ part.”
Getting Started with Security Practices
“Understanding security is extremely challenging. There are so many dimensions and so much to learn. How should someone get started learning about security?" —@msowers
Many security frameworks have driven policy people to create huge lists of security practices that everyone “should” do, which can make it hard to know where to start.
“One of the guiding principles in my updated DevSecOps Manifesto is, ‘Adopt a few key practices deeply and universally more than a comprehensive set poorly and sporadically,’” Maccherone said. “The idea is to pick just a few things and focus on those before you spread.”
He advised beginning with actions developers and development teams can take.
“The absolute best bang-for-the-buck thing to start with is analysis for code imported, aka software composition analysis, or misnamed open source security,” Maccherone said.
The Changing Role of Security Specialists
“How do you see the role of security specialists changing over the next three to five years?” —@owen
Maccherone said he thinks it will be similar to the way QA roles have changed over the last decade.
“Go back pre-agile and you had these huge QA groups,” he said. “Development teams would throw their stuff over the wall to the QA group to validate.
“Then, with the increase in the use of automated testing and the silo breakdown caused by the agile movement and continued with the DevOps movement, you had the development team morph into a cross-functional, self-directed, empowered engineering team that took care of their own QA. You may have QA specialists still, but they now are on a single development team, and most of those folks had to learn how to at least write automated tests, if not production code.”
Maccherone sees the DevSecOps movement as another silo breakdown.
“A lot of what the security specialist folks at large organizations used to do will be taken care of by the empowered engineering team,” he predicted.
Just as quality has become everyone’s responsibility, so too will security—and that trend is only being accelerated by the increased adoption of DevOps practices.