It helps you, your career, and your company to break down the information silos and become an advocate for online safety.

Security is a misunderstood part of DevOps, with some people thinking it’s outside the scope of DevOps, while others think it’s too important (and overlooked) and suggest DevSecOps instead. No matter which side you agree with, it is clear that cyber security affects all of us.

Every year, the statistics of hacking get more shocking. For example, a hack occurs every 39 seconds, which could result in the theft of records, identities, and proprietary projects you wrote for your company. It could take months (or never) for your security team to discover who was behind the hack, what it was for, where, and when.

How should operations professionals face these tough questions? Well, I say it’s time to become a champion of cyber security and be part of the solution.

A war for the island’s sphere of influence

In the years I’ve been working side by side with my local IT Security (ITSEC) team, I’ve noticed a lot of things. A big problem is the tension between the security team and DevOps, which is very common. This tension is almost always due to the security team’s efforts to protect the system against vulnerabilities (for example, setting up access controls or disabling things), which can disrupt DevOps’ work and prevent them from deploying applications quickly.

As you can see, as I can see, everyone you meet on the scene has at least one story about it. A handful of grudges eventually burn the bridge of trust, either taking a while to repair or starting a mini-turf war between the two groups, which can make DevOps even harder to achieve.

A new perspective

To break down these silos and end the wars of influence, I chose at least one person from each security team to talk to to learn the ins and outs of our organization’s day-to-day security operations. I started doing it out of curiosity, but I keep doing it because it always brings me some valuable, new perspective. For example, I learned that for every deployment that was stopped because of failed security, the security team was frantically trying to fix 10 other problems they saw. They react impulsively and sharply because they have a limited amount of time to fix these problems before they become a major problem.

Consider the amount of knowledge required to discover, identify, and undo completed operations, or figure out what the DevOps team is doing (without background information) and then copy and test it. All this is often done by grossly understaffed security teams.

This is the daily life of your security team, and your DevOps team doesn’t see it. The routine of ITSEC means working overtime and overworking to ensure that the company, its teams, and everyone who works in them can do their jobs safely.

Ways to become a security advocate

These are the things you can help with when you become an advocate for your security team. This means that for everything you do, you have to look carefully and carefully at all the ways that other people can log in and what they can get out of it.

By helping your security team, you’re helping yourself. Add tools to your workflow to combine what you know to do with what they know to do. Start small, such as reading public Vulnerability Disclosure (CVE) and adding scanning modules to your CI/CD process. For all code you write, there is an open source scanning tool, and adding small open source tools (such as those listed below) can make the project better in the long run.

Container scanning tool:

  • Anchore Engine
  • Clair
  • Vuls
  • OpenSCAP

Code scanning tool:

  • OWASP SonarQube
  • Find Security Bugs
  • Google Hacking Diggity Project

Kubernetes security tools

  • Project Calico
  • Kube-hunter
  • NeuVector

Keep your DevOps attitude

If your job role is DevOps, it’s part of your job to learn new technology and how to use it to create new things. The same goes for security. I’m up to date on DevOps security, and here’s a list of my methods.

  • Read one safety-related article a week in the direction of your work.
  • Check the CVE website every week to see what new bugs have emerged.
  • Try a hackathon. Some companies do this once a month; If that’s not enough and you want to learn more, you can visit Beginner Hack 1.0.
  • Attend a security meeting with members of your security team at least once a year to see things from their point of view.

Being an advocate is about being better

Here are a few reasons why you should become an advocate for your safety. The first is to increase your knowledge and help your career development. The second is to help other teams, cultivate new relationships and break down silos that are bad for your organization. Establishing a network throughout your organization has many benefits, including setting an example for communication teams and encouraging people to work together. You can also promote knowledge sharing across the organization and give everyone a new opportunity for better internal cooperation on security.

In general, being an advocate for cyber security makes you an advocate for your entire organization.

Via: opensource.com/article/19/…

By Jessica Repka, lujun9972

This article is originally compiled by LCTT and released in Linux China