Skip to main content
banner image
venafi logo

The Evolution of DevSecOps [Interview with Marc Cluet]

The Evolution of DevSecOps [Interview with Marc Cluet]

evolution of DevOps security
July 21, 2020 | Guest Blogger: Helen Beal

Marc Cluetis an organizer of London DevOps, DevSecOpsDays Londonand DevOps Exchange Barcelona, and technical practice lead for the digital accelerator platform at Nationwide Building Societyin the UK.I recently spoke with Marc about how we have reached the current state of DevSecOps.



Helen: What was it that made you start organizing DevSecOpsDays in London?

Marc: in the past, I have been involved with and organized events such as WebPerfDays and DevOps Days and because of this I was approached by Mark Millerto see if I would be interested in running DevSecOps Days here in a similar unconferencespirit. I found the idea challenging and positive—my aim has always been forany events I organize to beable to give back to the community and there was certainly a space for a DevSecOps unconference in the UK.

Helen: How would you describe the DevSecOps community in the UK? How is it different from the rest of the world, do you think?

Marc: I would say that the DevSecOps community in the UK is one of the most forward thinking and advanced in the world. It encompasses all kinds of sensibilities, especially in a place like London where you have so many strong businesses in a single place, which is hardly reproduced anywhere else in the world.Helen: How do you define DevSecOps?Marc: DevSecOps builds on the culture and collaboration fostered by DevOps to ensure that security is a first-class citizen and involved on the creation and evolution of software from the beginning rather than being an afterthought.

Helen: When organizationsmove products and services into the cloud,what considerations do they need to maintain or improve their security posture?

Marc: Definitely improve; most organizations come from a world where the security lens was applied too late in the process. With cloud in general being a zero-trust zone, it is extremely important to improve the security posture and have the security teams embedded as much as possible. We all have seen what happens when that is not the case, full buckets of confidential information available on S3 as an example.

Helen: How would you characterise the relationship between cloud and DevOps and DevSecOps?

Marc: They are all interconnected as they are part of what I call the “rubber bands” theory; each change and advance in technology, process or security accelerates that area which in effect pulls the other areas to accelerate or create a tension, like a rubber band connecting them. You don’t want that dependency or connection between different areas to snap as that is what creates internal tension in organizations. Cloud accelerated the platform, which enabled DevOps methodologies to be more effective which at the same time created the need for more integrated security and the shift left which DevSecOps enables.

Helen: Why are certificates still a challenge for DevOps?

Marc: Certificates used to be a very awkward thing, which required a lot of manual validation and interaction. Thanks to efforts like Let’s Encrypt, that popularized the use of APIs for certificate validation, and the ability to self enroll into delegate CAs makes certificates a lot easier than theyused to be. I would say it might still be a challenge but it is one now that can be coded and properly maintained, adding Kubernetes cert manager or Vault on top of that (or any other secrets solution) makes things extra amazing.

Helen: Is there a reference architecture or common toolset you look to as a model for engineering teams wanting to improve security around their product, pipeline and platform?

Marc: There are several. I would say this depends very heavily on the application itself and the nature of it, monolithic applications will have slightly different hardening and security review techniques than microservice or serverless apps. I would recommend looking at studies from the DevOps Institute as across industry standard references, which are reflected in their own publications and also of IT Revolution Press.

Helen: Do you think bug bounty programs are a legitimate way for an organization to crowdsource security testing or are they a PR exercise and kind of lottery for threat hunters?

Marc: Bug bounty programs definitely are a good way to incentivise scrutiny of your application by the broader security community. The thing that I find sometimes lacking is a bit more clarity about risk, governance and responsibility. We have all seen cases where vulnerabilities have been reported to either find a wall on the other side or being directly reported to the authorities.Helen: What does ‘good’ DevSecOps culture look like and how do organizations create and nurture it if they don’t already have it?Marc:DevOps culture is intrinsically related to the business organization and overall culture as well, I would say there is no one model fits all, but best practices definitely do help. Make sure security is embedded in your processes from the beginningand be able to work hand in hand with the teams, shifting left and budgeting for security from the beginning.

Helen: What mechanisms or practices do you recommend product teams use to measure their value outcomes?

Marc: Great question! First of all I would say the evolution of project minded to product minded outcomes is one of the biggest shifts we’re seeing in the industry. This goes hand in hand with agile delivery and empowers DevOps to do what it does best as well. Based on the shape of the product and the target consumer base there are different business metrics to be able to measure it successfully, but if I had to distill this down to the most basic it would be around time from ideation to market and pivoting potential, both very useful for the heavily competitive market we live in. I’d recommend reading ‘From Project to Product’from Mik Kersten and ‘Flow’from Fin Goulding and Haydn Shaughnessy for further inspiration and ideas.

Helen: Will DevSecOps live forever?

Marc: I’m not really the one to say, but I think that it will be around while it is useful. I really hope for a future where security is so integral that we don’t need new portmanteaus to characterize it.


Related posts

Like this blog? We think you will love this.
Featured Blog

Applying Identity to DevSecOps Processes

Identity Means Secrets

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Helen Beal
Guest Blogger: Helen Beal

Helen Beal is a DevOps guru. She currently serves as a Member of the DevOps World Advisory Board, the DevOps Institute Board of Regents, and is listed in PowerAdmin's 51 DevOps Influencers to Start Following Today.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more