Security has a communication problem, and DevOps is the answer, says Chef

Jeff Mery, VP global solutions architects at Chef tells delegates at Computing's Cyber Security Live conference that treating everything as code helps traditional translation challenges between developers, infrastructure teams and security

Security has a long-standing communication problem which can be solved by a DevOps approach.

That's the opinion of Jeff Mery, VP global solutions architects at Chef. Mery was speaking at Computing's Cyber Security Live conference in Central London.

He began but outlining the traditional challenges faced by various teams in most organisations.

"Application teams are trying to go fast, and infrastructure teams are trying to keep up," said Mery. "Security teams are also struggling to keep up to ensure everyone doesn't leak data. The technology is one thing, but there's this political problem of the organisation trying to figure out what's happening and how everyone can work together," he added.

Mery explained that security is generally viewed as something which slows down the pace of work, and sometimes stops people doing their jobs.

"A healthcare customer was spending an average of 17 person hours per system per audit. They have 61,000 systems. That's a lot of time spent on compliance and audit," he said.

In Mery's view, it's traditional approaches which are the biggest root causes of this slow pace of work. "I was a developer 25 years ago and the development process hasn't changed much since then," he said.

He added that compliance and audit give a false sense of security.

"Actual compliance levels vary depending on when the auditors are coming in. In between no one cares because the auditors aren't looking. I've been there, I've lived it, I know it.

"It's a communication problem. In the security space you have different groups speaking different languages. Compliance speak in Word and PDF. Security use Nessus, Darktrace, tools like that. Developers and operations speak Ansible. Translating between compliance and security is hard."

He explained that the DevOps approach is to treat everything as code, as code is a universal language.

"Code doesn't lie, doesn't come in hungover, doesn't take a day off. It can be easily checked into tooling. You can do things like take your audits and shift it left in the dev process. A dev shouldn't have to know all compliance rules to safeguard an application, you should be able to give them guardrails.

"That's the pro-active posture we want to adopt. So instead of a big red stop sign, it's helpful. Then you know the result of the audit before the auditors come in.

"The new way is getting everyone to use shared tooling across the organisation. It's more than just what we deliver. It's version control - treating things as code - everything is automated. That includes things like compliance and testing. That's how you get safe. It's part of a holistic view of everything in the enterprise being treated as code."

He concluded, explaining that this builds security into the design process.

"Everything is then secure by design. You want to know results of the audit before the auditor ever even shows up. Then instead of this language barrier, you can move to solving higher level business problems."

Earlier at the conference, Computing presented the results of its latest security reseach: Managing the inevitable: what happens when security is breached. This research was conducted by Delta, Computing's new market intelligence service.