The DevOps-y Future of Security EngineeringBy Mike Rothman
We have talked a lot about how this cloud thing and the associated DevOps revolution will fundamentally reshape security. Probably not tomorrow, or even the day after that. But before you know it, everything you thought you knew about security will have changed. Rich documented a bunch of our thinking in his Future of Security paper, so you can start there.
As with most new disruptive innovations, there are likely other folks already where you want to be – it is good to learn from them. So I was very interested in slides from Zane Lackey (who used to run security engineering for Etsy), from his talk on how to build a modern security engineering organization.
A few key points from his presentation:
- Etsy pushed code into production up to 30 times a day.
- They surfaced security information to everyone, not just security folks.
- Communication is key to getting folks to work with security, rather than working around security.
- Expand your team by offering bug bounties.
- Use penetration tests to figure out how hackers will achieve their goals – not to just prove that your app can be pwned.
Overall it is a good deck, which serves as a good reminder that our world is changing. Understand how, or wait to get run over.