Developers now encounter all kinds of tools and integrations coming at them from everywhere, for all parts of the software delivery process and an ever-increasing threat landscape.
Trying to handle security with DevOps these days can sometimes leave us thinking like Ferris Bueller: “How could I be expected to handle school on a day like this?” from the movie “Ferris Bueller’s Day Off.”
However, the movie can teach a lot about how some of the biggest challenges of securing DevOps can be solved, according to Rob Cuddy, global application security evangelist at HCL Software, in the talk “DevOps Moves Pretty Fast. If You Don’t Stop and Secure It Once In a While, You Could Miss It” at VSMcon 2022.
First, a parallel can be drawn to how organizations can validate their inputs in the “Sausage King from Chicago” restaurant scene. In the scene, there’s an unmonitored station with an open reservation book sitting on top of it. Someone can easily just say, “I’m Abe Froman, party of three.”
When Ferris threatens to call the police on himself, he just calls the restaurant and no one notices. Confusion ensues when the phone call is answered somewhere else and Froman is described exactly as he’s currently dressed, ending up in a free lunch.
There are many points of failure here that can be carried over to security: the untrained staff, the exposed data, and the lack of cross-referencing resulting in lost money.
In his talk, Cuddy said, “I think there are some other things that we tend to get faked out on that we need to be aware of and be thinking through, particularly when it comes to DevOps and DevSecOps. And the first one is limiting noise, right? We’re really good about producing lots of reports and lots of data on things that are happening. But we want to be able to get to things that are actionable.”
Be sure to check out the session that borrows more lessons from Ferris, such as the iconic opening scene, the infamous Mr. Pe