DevSecOps - When "Infrastructure as Code" Meets "Security as Code"

Not very long ago, in my IT consulting career, I used to be responsible for the launch of mission-critical applications that help enterprises leap into the cutting edge of the digital business revolution. There were a lot of hard skills required for leading such a mission that involved getting the system architecture and software design right early, mentoring and managing the engineering resources, and tracking the progress to the satisfaction of the business analysts who put together the requirements and the stakeholders who funded the projects. Those skills, while hard, were largely deterministic and manageable vs another set of skills required to ensure that the built applications come alive in production environments, and run reliably and securely thereafter. This other set of skills often pit the application developers against the infrastructure administrators and InfoSec professionals. They are also typically viewed as the "last mile" in the journey to go live with any application, and can be only be developed by understanding the following patterns that govern the dynamics of interaction:

• Infrastructure Issues: Infrastructure capacity planning and provisioning is an inherently complex and time-consuming process. It requires long lead times in making sure the necessary and sufficient compute, storage, network capacity will be available well before the very first line of code is written for the business application. All estimates of growth in scale as well as timelines need to be forecasted well ahead of time, resulting in over-provisioning just to avoid scarcity of resources when needed. This is an antithesis to the way modern application developers operate, where speed, agility, and responding to changes are fundamental attributes.
• Security Issues: Because there is only limited, high-level information available to the developers about the infrastructure topology on which their application will run, due to the traditional separation of development and operational team members, the "security review" is often pushed late in the development process, but still viewed as a gating requirement for production launch. This is known to cause severe friction between developers and InfoSec professionals, since, very often, the established security guidelines may require significant changes in the application architecture and design, causing delays and dismay among software architects and developers.

In both of the above issues, there is a common thread that runs through the lack of visibility, communication, and cooperation between developers, IT administrators, and InfoSec professionals. It's not hard to understand the entrenched cultural issues that block communication, as these groups tend to be traditionally operating in silos. Another way of looking at this problem is the inability of the professionals to look at the cross-domain concerns that are at play. For example, from an application developer's perspective the features he or she develops is critical for the business. However, for an operations or security person, the potential disruption a new application can cause to a smooth operation trumps any business value the new application can bring. Unless a mechanism arrives to enable such a cross-functional view, with the ability to influence a change in practices, things will remain as status-quo. Fortunately, this mechanism has arrived naturally, and is alive and thriving today as we can see below.

Infrastructure as Code
Infrastructure-as-code, alternatively known as programmable infrastructure, is the practice of provisioning and managing data center resources through software that uses the definition of resources such as compute, storage, and network in the form of machine-readable files. It uses a form of high-level programming language through which developers can automate the configuration, deployment, and management of resources, while still adhering to the style and standards of modern day software development practices. The advantages of such a methodology can't be emphasized enough as it provides independence, control, repeatability, and traceability through version control. This is the first mechanism that emerged to facilitate the understanding of the cross-domain concerns between developers and IT operations. Two fundamental shifts began to emerge with this development:

• Developers obtain a powerful handle on the problem of hardware resources, although virtualized, with a simple interface they are familiar with: APIs and software libraries. Suddenly the deployment, and operation of hardware is simply an extension of the traditional coding exercise. As a side benefit, the developers now understand the service level requirements such as high-availability, scalability, reliability, and fail-over resulting in a new level of appreciation for the IT operations team.
• IT administrators obtain a clear visibility into the dynamics of software engineering, the rapidity and agility that is becoming increasingly commonplace, and now acquire some development skills themselves to contribute to the programmable infrastructure. As a side benefit, they are also relieved from capacity surprises, over-provisioning of infrastructure, and change control conflicts to become truly collaborative with the developers in leveraging the "elasticity" and the "ephemeral" nature of the programmable infra-cloud.

The convergence of the two above mentioned trends is known as "DevOps," marking the advent of utilizing "infrastructure as code", as depicted by the diagram below:

Security as Code
The success of the "infrastructure as code" practice certainly provided a template for bringing the InfoSec professionals to the table as we see a pickup in momentum in discussing security requirements early in the software engineering practice. The fundamental requirement for "security as code" is the ability to achieve programmable security controls and automate the security definition, assessment, and enforcement before and after applications become live, and throughout their operational lifecycle. There are certain fundamental requirements from InfoSec professionals regarding the security of infrastructure and applications such as visibility, transparency, and repeatability of the application of security controls. The challenge is to ensure that this is possible without hindering the speed of application development as desired by the developers, particularly with the availability of infrastructure automation/DevOps platforms at their disposal, and as depicted in the figure below.

Just as in the case of programmable infrastructure described in the previous section, this also creates two fundamental shifts in the mindset:

• InfoSec people now believe that it is possible to expect that application developers follow secure coding practices, and have a visible and automated way of assuring that by textual code analysis, code-level vulnerabilities are identified early in the development. It also became easier for the InfoSec people to enable the developers to easily utilize "security hardened," and "fully patched" platforms with mandatory security baselines on which to build the applications.
• Developers realize that application security concerns must be "left-shifted," and be a non-negotiable acceptance criterion before promoting applications through the stages of the SDLC pipeline such as Dev, QA, Staging, and Production.

The convergence of the two above mentioned shifts is known as "SecOps," that marks the advent of "security as code" as depicted by the diagram below:

Putting It Together, aka "DevSecOps"
Based on the above arguments, it should be apparent that "infrastructure as code" and "security as code" are powerful if adopted together. There is a natural confluence of these two as depicted in the figure below, which calls for a harmonious engagement between the various roles and systems at play.

The following fundamental tenets of the DevSecOps framework and their merits are undeniable:

• Introduce agility and speed by investing in a hardened tool chain covering the develop-test-deploy-monitor lifecycle of applications and resources.
• Question everything by creating visibility at every stage of the Continuous Integration / Continuous Delivery (CI/CD) pipeline.
• Bring security as a fundamental and non-negotiable acceptance criterion early in the development process, in other words, "left shift" security.
• Suspect everything, including code, configurations, artifacts, and infrastructure, and establish security assessment as a requirement for progress through the pipeline.
• Promote often, and promote confidently through Dev, QA, Staging, and Production.
• And, finally automate, automate, automate.

While it is possible for enterprises to build home-grown solutions around this, it pays immensely for them to seek out solution vendors that have thought through this deeply and integrated it into the DNA of their products. There are several viable open source platforms available as well, that may require more in-house expertise in putting things together.

Essential Characteristics of a DevSecOps Oriented Security Management Platform
There are multiple options available in the market place for enterprises that are interested in establishing the DevSecOps model in their application development, deployment, and infrastructure management. While researching the suitability of any such platform, the following fundamental requirements must be kept in mind:

• It must be programmable by exposing open APIs.
• It must be a platform ability to integrate and coexist with the IT ecosystem.
• It must be cloud-agnostic, and flexibly deployable across multiple infrastructure topologies.
• It must be able to secure applications before they go live on production.
• It must help establish a baseline security, and allow to watch continuously for drift.
• It must support point-in-time as well event-driven, monitoring-based security assessments.
• It must report issues truthfully, knowledgeably, and offer means of remediation.
• It must create full-circle awareness of the operation of the pipeline through notifications.
• It must be to support incident response mechanisms through easy integrations with other systems.

DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the conference tracks for CloudEXPO | DXWorldEXPO 2018 New York.

DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City.

Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.

A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 ▸ Here

Speaking Opportunities ▸ Here

Sponsorship and Speaking Inquiries: [email protected].

2018 Conference Agenda, Keynotes and 10 Conference Tracks

DXWordEXPO New York 2018 and Cloud Expo New York 2018 agenda present 222 rockstar faculty members, 200 sessions and 22 keynotes and general sessions in 10 distinct conference tracks.

• Cloud-Native | Serverless
• DevOpsSummit
• FinTechEXPO - New York Blockchain Event
• CloudEXPO - Enterprise Cloud
• DXWorldEXPO - Digital Transformation (DX)
• Smart Cities | IoT | IIoT
• AI | Machine Learning | Cognitive Computing
• BigData | Analytics
• The API Enterprise | Mobility | Security
• Hot Topics | FinTech | WebRTC

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

DXWorldEXPO | CloudEXPO 2018 New York cover all of these tools, with the most comprehensive program and with 222 rockstar speakers throughout our industry presenting 22 Keynotes and General Sessions, 200 Breakout Sessions along 10 Tracks, as well as our signature Power Panels. Our Expo Floor brings together the world's leading companies throughout the world of Cloud Computing, DevOps, FinTech, Digital Transformation, and all they entail.

As your enterprise creates a vision and strategy that enables you to create your own unique, long-term success, learning about all the technologies involved is essential. Companies today not only form multi-cloud and hybrid cloud architectures, but create them with built-in cognitive capabilities.

Cloud-Native thinking is now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector.

CloudEXPO is the world's most influential technology event where Cloud Computing was coined over a decade ago and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals.

FinTech Is Now Part of the DXWorldEXPO | CloudEXPO Program!

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

Accordingly, attendees at the upcoming 22nd CloudEXPO | DXWorldEXPO November 11-13, 2018 in New York City will find fresh new content in two new tracks called:

• FinTechEXPO
• New York Blockchain Event

which will incorporate FinTech and Blockchain, as well as machine learning, artificial intelligence and deep learning in these two distinct tracks.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 ▸ Here

Speaking Opportunities ▸ Here

Sponsorship and Speaking Inquiries: [email protected].

FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds.

More than US$20 billion in venture capital is being invested in FinTech this year. DXWorldEXPO | CloudEXPO are pleased to bring you the latest FinTech developments as an integral part of our program.

DXWorldEXPO | CloudEXPO are accepting speaking submissions for this new track, so please visit Cloud Computing Expo for the latest information or contact us at [email protected]

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 ▸ Here

Speaking Opportunities ▸ Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck ▸ Here

Only DXWorldEXPO | CloudEXPO bring together all this in a single location:

Attend DXWorldEXPO | CloudEXPO. Build your own custom experience. Learn about the world's latest technologies and chart your course to Digital Transformation.

22nd International DXWorldEXPO | CloudEXPO, taking place November 11-13, 2018, in New York City, will feature technical sessions from a rock star conference faculty and the leading industry players in the world.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 ▸ Here

Speaking Opportunities ▸ Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck: ▸ Here

Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS - software, platform, and infrastructure as a service.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 ▸ Here

Speaking Opportunities ▸ Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck: ▸ Here

Companies are each developing their unique mix of cloud technologies and services, forming multi-cloud and hybrid cloud architectures and deployments across all major industries. Cloud-driven thinking has become the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, and the public sector.

Sponsorship Opportunities

DXWorldEXPO | CloudEXPO are the single show where technology buyers and vendors can meet to experience and discus cloud computing and all that it entails. Sponsors of DXWorldEXPO | CloudEXPO will benefit from unmatched branding, profile building and lead generation opportunities through:

• Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
• Showcase exhibition during our new extended dedicated expo hours
• Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35-minute technical session
• Online advertising on 4,5 million article pages in SYS-CON's i-Technology Publications
• Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
• Unprecedented PR Coverage: Unmatched editorial coverage on Cloud Computing Journal.
  
• Tweetup to over 100,000 plus Twitter followers
• Press releases sent on major wire services to over 500 industry analysts.

Secrets of Our Most Popular Sponsors and Exhibitors ▸ Here

For more information on sponsorship, exhibit, and keynote opportunities, contact [email protected].

Show Prospectus V041818 ▸ Here

Download Slide Deck: ▸ Here

Speaking Opportunities

The upcoming 22nd International DXWorldEXPO | CloudEXPO November 11-13, 2018 in New York City, NY announces that its Call For Papers for speaking opportunities is now open.

Secrets of Our Most Popular Faculty Members ▸ Here

Submit your speaking proposal ▸ Here or by email [email protected].

Download Slide Deck: ▸ Here

About DXWorldEXPO LLC

DXWorldEXPO LLC is a Lighthouse Point, Florida-based trade show company and the creator of DXWorldEXPO - Digital Transformation Conference & Expo. The company produces and presents CloudEXPO, DevOpsSummit, FinTechEXPO - Blockchain Event, the world's most influential conferences and trade shows.