Every DevOps conference likes to talk about the benefits from DevSecOps, shifting security left. The challenge for most organisations is how to do it. Part of the problem is breaking down cultural barriers and success there is patchy. A more important issue is working out where security integrates with DevOps. The stock answer is shift-left but exactly how and what that means still seems to be a secret.
At RSA 2020, Enterprise Times cornered Chris Kirsch who is responsible for product strategy at Veracode. As Veracode is an application security vendor, we wanted to know what was going on and how to better secure apps.
We started off by asking Kirsch why security teams were building their own pipelines to insert into the DevSecOps process. Kirsch started by saying that security teams complain that: “Developers don’t understand security.” He then turned that around saying that: “Security needs to understand development better.”
Kirsch continued saying: “Development has moved on a lot and understanding pipelines and automation is really critical for software security.” Kirsch sees automation as the key to keep up with the current cadence of software development. He also sees automation as allowing the testing of a much larger set of software inside the business.
Kirsch talks about the complexity that open source brings when it comes to testing libraries. He also says that investing in app sec has to start at the top of the company, There needs to be buy-in at the people level. Interestingly, Kirsch brings up the issue that not all testing can be automated and not all software can be pentested.
To hear what else Kirsch has to say, listen to the podcast
Where can I get it?
obtain it, for Android devices from play.google.com/music/podcasts
use the Enterprise Times page on Stitcher
listen to the Enterprise Times channel on Soundcloud
listen to the podcast (below) or download the podcast to your local device and then listen there