Posted on
in Podcasts
Podcast Transcript
Introduction:
You're listening to the RSA Conference podcast where the world talks security.
Kacy Zurkus:
Hello listeners, and welcome to this edition of our RSAC 365 podcast series. Thanks so much for tuning in. I'm your host Kacy Zurkus, Content Strategist with the RSA Conference. And today, we are fortunate enough to have a guest moderator joining us Keenan Skelly, and she will be talking with Stephanie Simpson about all things DevSecOps. But first I want to remind our listeners that here at RSAC, we host podcast twice a month and I encourage you to subscribe rate and review us on your preferred podcast app, so you can be notified when new tracks are posted. And now I'd like to turn it over to Keenan to introduce yourself and we can dive into today's topic, Keenan?
Keenan Skelly:
Thank you so much, Kacy. I'm really excited to be here. Keenan Skelly, I'm currently the CEO of Shadowbyte, which is a threat intelligence company. Absolutely love the security and cyber security space.
Keenan Skelly:
I'm very excited to be here with Stephanie Simpson from Scythe today. Who's going to be talking with me about DevSecOps. I think everybody has a lot of questions about what that means in the tech world because the more we get into new tech products that seem like they might be for security, we often find that in the background that there is not security behind them or in that process. DevSecOps is really an interesting topic. Stephanie, why don't you give a quick introduction of yourself and then I'm going to ask you all the questions.
Stephanie Simpson:
Great. Thanks Keenan. Hi everyone. I'm Stephanie Simpson, the VP of Products for Scythe. I've been in software for about 25 years and specifically in cybersecurity for over five years. I'm excited to talk with you, Keenan about DevSecOps.
Keenan Skelly:
Great. Now for the crowd and for the listeners. I want you all to know that we literally all just got back from RSA Conference in San Francisco a day or so ago. If this is a little exciting for you or a little bit too exciting for you, we totally get it. Listen to it again later. Okay. DevSecOps, from the lens of a product person, what does DevSecOps mean to you and how is it different from, I know you've done some other software that wasn't necessarily specifically security related. How are you finding that in your new role versus your older roles?
Stephanie Simpson:
Good question. What is DevSecOps? Well, I think most people think of DevOps, which has been around for a long time. That's around development and operations specific to software. It's around the tools, automation, all the operations work needed in order to create a product. DevSecOps obviously is even more important because it has the security part in it. It's just not in the process as much. We'll talk a little bit about that today. I am as a VP, very focused on the business aspect of it and I think that's what I would like to talk about.
Keenan Skelly:
That's actually really fascinating. I think that a lot of listeners and a lot of folks in the cybersecurity space don't necessarily think of it from that perspective. Tell me more about why the business part is so important?
Stephanie Simpson:
Absolutely. I think to start off, what is the cost of bad DevSecOps to a business?
Keenan Skelly:
Oh yeah.
Stephanie Simpson:
Exactly. Right? Coming at it from me, I'm looking at it as if I launch a product without good DevSecOps, what would happen? There are many things that could happen. One is it could hurt my brand reputation. I could launch something, there are security gaps and all of a sudden the customer comes back to me and maybe tells the world that our security product doesn't have good security. That could kill us. The second thing is support calls. If something isn't patched quick enough, actually this is really interesting, I'm not sure if everyone knows, but anyone who deals with the government or is part of the government, there's a time limit. You have to actually patch certain things on a regular basis. If you don't...
Keenan Skelly:
Oh yeah.
Stephanie Simpson:
...you have to actually not use that product.
Stephanie Simpson:
We could have a huge problem with attrition as well. If we don't do, even the minimum right? Of security. And then of course the last thing which you never want is a delayed launch. If you don't have some sort of process and way to incorporate DevSecOps into your regular sprints, it could definitely delay launches.
Keenan Skelly:
How would that differ from, I know you worked at some large companies previously, how does that process differ from what it used to be for you? Now that you have to add security into it, is it more time? Is it more effort? How much does it affect each one of those things? Brand reputation, support calls, attrition? Is it more detrimental in a security company than it is in a regular company? Or does that kind of even up?
Stephanie Simpson:
That's a good question.
Stephanie Simpson:
I think 100% is more detrimental in a security company. I think it's more forgiving if you're not.
Keenan Skelly:
Yeah.
Stephanie Simpson:
But before that, I think that, I'm trying to think when I haven't done tech. For me, it's been part of my background for at least seven years. But prior to that, it was much easier. It was just easier. Infusing security into your process is tricky and you need to know how to do it.
Keenan Skelly:
Yeah, absolutely. Let's talk a little bit about KPIs for DevSecOps, how do we really measure developers on security and what does that even look like?
Stephanie Simpson:
Yeah, I think we're kind of in the infancy of that right now. I try to measure as much as I can, but not get to the point where I'm bogged down by it. The big thing and it's not just security bugs, but any type of bugs, being able to measure and celebrate bugs that are found by quality assurance versus bugs that are found by a customer.
Stephanie Simpson:
And you obviously want a higher ratio.
Keenan Skelly:
Yeah.
Stephanie Simpson:
Yeah. Higher ratio of all the assurance bugs found and celebrate that. Right? That's one of the things that we focus on. The other kind of softer things around making sure that DevSecOps is important is making sure that the security and ops requirements are added to the backlog and that it's a requirement of definition of done. You cannot launch without these things.
Stephanie Simpson:
And then the last thing is making sure that quality assurance actually has security test cases and that part of the QA testing that's happening throughout the sprint, not just at the end of the sprint is testing and continuously testing those security test cases.
Keenan Skelly:
Absolutely. Do you make it a point then to hire QA folks and engineering folks that have some kind of security or do you kind of hire them for their amazing development skills and then kind of train them on the security afterwards?
Stephanie Simpson:
Yeah. I think you need a hybrid mix. And I think the biggest thing is around making sure all developers are trained. Trained on how to develop for the best product that's secure, but also how to make sure that they understand that security testing, everyone on the team knows how important it is to test security and that those test cases are created. I think as long as everyone knows what that process is and as long as you have a leader who is able to drive that process, it should be something that any developer should pick up pretty easily.
Keenan Skelly:
Yeah. That's really great. And it's great, I like what you said about training everyone. That's so important when it comes to security, but especially when you're building security products.
Stephanie Simpson:
Absolutely.
Keenan Skelly:
Let's talk a little bit about agile DevSecOps. First of all, how is that even possible when you add security into the mix? Security is not often super agile in the development space, so how easy is it or hard is it to do that? And what's kind of your process for that?
Stephanie Simpson:
Yeah, absolutely. I think when people think of agile, they think only of sprints, right? Okay. We're doing things in sprints and then we're launching it at the end. There's a lot of things in the middle of that, that DevSecOps can actually help drive. For instance, I talked a little bit about the definition of done. At the end of every sprint, there is a definition of what is done. And as long as the security requirements are part of that, then something cannot be considered done. The dev team itself. Right? Every agile or scrum team has a certain number of developers. Well, if you don't have a security person on that team, you find a champion.
Stephanie Simpson:
And I was talking a little bit about the hybrids, right? There are people who are excited about security and some who aren't, so really finding that champion, but still having them part of that team. Prioritization is huge in agile. Making sure that the requirements that are associated with security are prioritized and put at the top of the backlog. Having the tools, right? Using automation and alerting to be able to do the testing and get alerted when something is not up to code. Being very transparent, the number one thing in agile, right? Just being transparent. No one is ever going to catch everything. Just like there's never going to be no breaches.
Keenan Skelly:
Yeah.
Stephanie Simpson:
But as long as you're transparent and everyone knows and alerts people that there has been something that's been found, then they can go and fix it and put it in the backlog and put it as part of everything.
Stephanie Simpson:
And last but not least is around key shaped skills. A developer can be very good and deep in one skill, but then very wide and a bunch of skills.
Keenan Skelly:
Yeah.
Stephanie Simpson:
But part of the wideness or the top of the T, hopefully you can develop developers into having security as part of that top of the team.
Keenan Skelly:
Absolutely. I think it's really important something you said a moment ago about transparency. I know that every other day we hear about new breaches, but not just with global organizations or financial institutions, but even at cybersecurity companies or companies that do cybersecurity. I think that transparency is one of the most important things that we can be pushing as people who develop cybersecurity products. That there are things that are going to happen. It happens, we're going to fix it. And here's the patch that's coming out in three days to take care of it.
Keenan Skelly:
I think that kind of goes back to your ROI. Can you tell me a little bit about how that ROI and transparency are interlinked when you're dealing with your customers on DevSecOps?
Stephanie Simpson:
Yeah. I think that's really insightful. I think with transparency and just acknowledging that it will happen. It allows you to put it into a regular schedule. You allot time from a person to always have X number of hours to work on during the week. And when you already know that will happen, you kind of also need to incorporate that into the launch plan and the messaging to your customers. They understand that you will have patches it and what the patch schedule is usually what happens every week or something like that. They don't come back to you and think that you've done something wrong. It is just what it is.
Stephanie Simpson:
And then you're starting to teach your customers.
Keenan Skelly:
And I think that's really paramount right now, especially a lot of companies get really scared. A lot of companies get really upset. And what do you mean you got hacked? Well, we're all going to get hacked, but we have a process in place for it. I think that's one of the huge benefits of DevSecOps and the way that you approach it. Right?
Stephanie Simpson:
Yeah. And one other thing. You were saying about the transparency and how it relates to ROI. I think one of the other things is being proactive versus reactive, right? You don't want to wait until something is out in the field. You want to proactively put together a way to check for holes using automation tools to check to see where you have gaps in not only the software itself, but there may be gaps in your people, in your process.
Stephanie Simpson:
And Scythe for instance, can help with that. And there are other tools, but proactively finding those so that you can make changes.
Keenan Skelly:
Absolutely. And security is just for the longest time, it's been very reactive. As we get better with processes, as we get better with technology to detect things that's where we're all headed for. I hate to say lots of boom, but let's say lots of cyber boom. Right?
Stephanie Simpson:
Right. It just finding it before it happens.
Keenan Skelly:
Absolutely. Final thought, what would you say to dev teams out there who are really trying to begin to implement DevSecOps and some of the challenges that they're probably facing, what would you give them as kind of phage advice as the VP of Product?
Stephanie Simpson:
Yeah. I would say the first thing is don't be paralyzed by it, just start. I imagine that people are not doing it because they don't know where to start or they're scared or whatever it is. And so just start. And I think that there're different ways that they could do that if they don't have someone internally, hire a consultant. If they do have someone internally, allot that person to start to at least create the basics of what is it that they need to do. I suggest everyone on here go and look at Tanya Janka's, She Hacks Purple.
Keenan Skelly:
Oh, she's so great.
Stephanie Simpson:
Yeah. I saw her and I can't do it justice, what she says, but it's like a wonderful Bible for starting and it's on GitHub and I'd highly suggest people going and looking at that because it's kind of like a to-do list.
Stephanie Simpson:
And I think the other thing that people kind of ask is what will it cost? The one thing I would say and back to being the business side, it will cost a lot more to not do it. Just start it.
Keenan Skelly:
Yeah.
Stephanie Simpson:
Start investing in it, put the hours towards it, start putting it in the process. Everyone in product management should know all of the things I talked about in terms of agile. It's just about adding those requirements and incorporating it in as if it's just any other requirement you have.
Keenan Skelly:
That's so true because it's hard. Nobody wants to do it, but you got to get in there. Jump in head first.
Stephanie Simpson:
Exactly.
Keenan Skelly:
Stephanie, thank you so much for chatting with me about this. It's such an important topic and you as always are amazing. I highly recommend checking out Tanya as Stephanie suggested. And I think that's our time for today, but hopefully we get to talk again soon.
Kacy Zurkus:
I'll jump in and give a thank you to both of you. Keenan, great job moderating the conversation. I'd love that you brought Stephanie to...
Keenan Skelly:
Thank you.
Kacy Zurkus:
...us to engage in this important conversation. Thank you both for being here today. Listeners, thank you for tuning in to find products and solutions related to DevSecOps and software integrity. We invite you to visit RSAconference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels, using the hashtag RSAC and be sure to visit RSAconference.com for new content posted year round. Thank you all. Have a great day.
Participants
Stephanie Simpson
Vice President of Product, SCYTHE
Keenan Skelly
Founder, Executive Director, XRVillage
DevSecOps & Application Security
application security DevSecOps patch vulnerability & configuration management penetration testing risk & vulnerability assessment security awareness security education security operations software code vulnerability analysis software integrity vulnerability assessment zero day vulnerability
Share With Your Community