DevSecOps: The Benefits of Security and DevOps Working Together

For years, security professionals, including myself, have advocated for security to be part of the development process. Recently, development has been undergoing a big shift “to the left” so that security is part of a more integrated process in development. You may be aware of this change as DevOps. DevOps means that development and operations, the team responsible for deployment and management, work closely together rather than having cold hand-offs. One of the ways this works is by automating as much as possible, including building, packaging, testing and deployment. The integration came at an opportune time when shifts in software development started in the late 1990s, now called Agile. 

What is Agile? 

Agile is about rapid development that produces a releasable product at the end of each iteration. Most importantly, Agile is about focusing on customer needs and not big, over-developed software. DevOps provides the ability to take the idea of Agile several steps further. Beyond just having a product that the customer can use, DevOps opens the door to deployment and delivery. As more applications and functions become enabled through web technologies, there are more frequent deployments that the customer can use. Pinterest, as an example, deploys up to 50 times a day to their platform. 

Where Security Comes In 

You may be wondering where exactly the security comes in here. Security professionals may be concerned about what DevOps means for them. As it is, when a development process is complete, security gets tossed a product to do testing and assessment. How bad could that be if development and deployment is happening at least once every couple of weeks? Fortunately, there are answers to this question and the good news is, it helps from a security perspective, and this is where “shifting left” comes in.  

When we talk about “shifting left,” we mean that we are pushing things earlier into development process. Like the operations team, the security team can provide their needs and requirements to development early on. This can mean ensuring that security tests are built into the test automation. It should also mean that security is working closely with developers so developers understand what secure development looks like — appropriate practices and frameworks, for instance.  

Implications for the Customer 

If security and its requirements are incorporated earlier in the process and security professionals become a more prominent stakeholder, the customer benefits. Each development cycle has to factor in security and if there is anything required of the security team, they get tasks just like any of the developers or operations staff. This may include changes to intrusion detection systems, firewalls or web application firewalls if it’s a web application being developed.  

An enormous advantage to regular deployments is the time to repair shrinks. If development teams are releasing even every two weeks, customers have a better chance of getting updates that fix security issues much faster. This helps the company and it helps the customer. It is a win-win.  

Similarly, if processes are automated, the security team is in an even better position because there is less chance of human error that may result from botched installs or configurations.  Security work has its benefits in this instance.

In the end, the blend of DevOps with Security, now referred to as DevSecOps, has enormous potential to improve application security. If you aren’t looking into it for your teams, you should be. Move security left! 

Circadence’s Laura Lee Mentors Young Women at Cybersecurity Badge Program Launch Event for Girl Scouts in Partnership with Palo Alto Networks

Our own Laura Lee, executive vice president of rapid prototyping, recently mentored young girls at a Girl Scouts event on Wednesday, June 27, that celebrated the launch of a new cybersecurity badge program.

The program is the brainchild and joint partnership between Palo Alto Networks and Girl Scouts of the USA (GSUSA). It is a national effort aimed at eliminating traditional barriers to technology industry access, such as gender and geography. According to the Girl Scouts, the programming will target girls as young as five years old, helping ensure that even the youngest girls have a foundation primed for STEM careers.

Laura, along with a group of nine other cybersecurity industry leaders, mentored six girls at a time in a roundtable format and answered questions about cybersecurity careers. While each mentor shared their own professional journey in cybersecurity, three common themes emerged: 1) no one started out thinking they wanted to be in cybersecurity but rather fell into it; (2) cybersecurity requires curiosity, life-long learning and diversity; (3) not many women are in the field (and the girls can change that!).

Laura shared how she started out as an aerospace engineer building Missile Defense systems, a 15-year career path that prepared her for a transition into cybersecurity defense. She shared how Circadence® participates in many cybersecurity education events including the SoCal Cyber Cup, a challenge for middle and high school students, where a female won the entire competition. The story of the young girl winning such a notable competition was a strong proof point to the potential for more women to enter the cybersecurity field. The example brought an enthusiastic round of applause among the Girl Scouts.

“I told them to think broadly about cybersecurity – it isn’t just computer science. In every field (medical, law, economics), there are cybersecurity aspects, so [I said they] should learn about it no matter what [they] want to pursue,” said Laura.

The mentorship event reflected Circadence’s commitment to educate and train everyone interested or involved in cybersecurity, from aspiring professionals to seasoned experts. Further, the event was an opportunity to show the Girl Scouts how engaging and fun cybersecurity jobs can be, especially with the introduction of platforms like Circadence’s Project Ares®, a gamified teaching and training tool for cybersecurity professionals. “Being involved in this is another fundamental way to explain how a serious game [like Project Ares] can help teach concepts,” said Laura.

While Laura’s stories and insight proved invaluable to the girls, Laura left the event equally impressed with the girls’ level of engagement and interest in cybersecurity. Circadence is proud to have Laura represent the company and use her expertise to inspire and educate the next generation of cybersecurity professionals.

Play, Watch, Experience: Circadence to Host First-Ever “Game of Titans” Cyber Challenge in Las Vegas

As the New York Times points out, “Video games are beginning their takeover of the real world,” and with the popularity of Fortnite and other events gaining traction, Circadence® is jumping on the voyeuristic video game bandwagon hosting its first “Game of Titans” Cyber Challenge–a unique event that will demonstrate the power of its immersive, online cybersecurity training platform Project Ares®.

The “Game of Titans” competition is one of THREE ways cybersecurity warriors can experience the power of gamification within cybersecurity training in Las Vegas from August 6 through August 9.

We’ve detailed the three opportunities for cybersecurity experts and enthusiasts to get involved below—and we look forward to seeing and meeting everyone in Las Vegas!

Cyber Battle Competition – Play to Win!
Celebrity cybersecurity expert and ethical hacker Vinny Troia will oversee and judge the competition providing commentary of gamers’ progress for non-competitors watching the action.

Qualifying rounds take place July 27-28 and finals will be held on-site at the new Esports Arena inside the Luxor Hotel and Casino in Las Vegas. Finalists will then compete live on-stage on August 7 from 6 to 10 p.m. in front of an audience using the Project Ares platform to show off their cybersecurity skills and talents.

Interested competitors need to register online by July 26 or early bird entrants can register before July 22 for early access to Project Ares in order to practice. Prizes will be awarded for best offensive and defensive players as well as an MVP. Details to register can be found here.

Competition Attendance – Watch the Action!
While the Esports Arena Las Vegas is open to the public, the competition is a true VIP experience where invited attendees enjoy food and drinks and a close-up view to the action. Audiences can watch the top players compete live on-stage for the inaugural “Project Ares Titan” crown and title.

Viewers will be able to see up-close footage, live-action play, and instant replays—just like watching a football game. Audiences can jump aboard the popular game watching movement that’s inspiring a new generation of mainstream entertainment.

Private Demos – Experience the Platform!
Circadence will be hosting private in-suite demonstrations at the Mandalay Bay Hotel and Casino Monday, August 6 through Thursday, August 9 from 10 a.m. – 4 p.m. for those interested in learning more about the platform’s capabilities for cyber teams.

Demo registrants can speak one-on-one with Circadence representatives about their specific cybersecurity challenges and needs to find the best solution for them. Food and drink will be available in the suite. Interested parties can sign up for a 30-minute demonstration here.

“We are excited to host the first Project Ares ‘Game of Titans’ Cyber Challenge for both novice and experienced cyber professionals, and the Esports Arena is the perfect space for attendees to experience the power and capabilities of the platform up close,” said Keenan Skelly, Circadence VP of Global Partnerships and Security Evangelist. “We hope the competition will inspire curiosity in using gamification in training as well as help people see for themselves how the platform can aid in their professional development, so they can keep pace with evolving cyber threats.”

If you still need more information about getting involved in any of these opportunities, please contact Amy Dageenakis.

GUIs Are Evil

Graphical User Interfaces (GUIs) are evil. Or in the words of a friend of mine – “the work of the devil.” I know people generally like shiny windows and icons and that’s fine for a lot of work. But, when it comes to being an info security professional, GUIs are just wrong in many cases. Stick with me. You will want to rethink your position on “just give me a shiny GUI over white letters in a stark, black window any day.” Here are a few reasons why GUIs aren’t necessary.

Minimize distractions

One of the biggest issues with a GUI is that it is designed to take away the onerous drudgery and work from performing computing tasks. If I’m writing a document, such as this one, give me a few bells and whistles so I can more easily manipulate text using a mouse. However, if I’m honest, I’m writing this in as close to a text editor as you can get. No frills. No clutter. Just a visual representation of a sheet of paper. Sometimes you need to shove everything off your desk and get to work without the distractions.

Don’t bury the details

When a GUI appears to be doing a lot of the work for you, it is. At the same time, it’s hiding a lot from you. The developers believe, sometimes rightly, that the details are clutter that will get in the way of you doing your job. You should be focused on the work and not the minutiae of how the work is done. However, the very things the GUI is hiding from you are often the details that you really need to see as a technology professional. Without the details, it can be hard to learn how everything fits together. As an example, if you were doing forensics work using one of the GUI tools like EnCase or FTK, you either wouldn’t get some of the low-level details or it would be harder to see them, as you’d get from tools like SleuthKit. Using the SleuthKit, you really need to understand how the filesystem is put together to be able to understand the output.

Beyond that, there are cases where the tools you need for a task are just command-line based. As an example, if I to want to see whether another system was available and responsive on the network, I would use the program ping. There is no GUI alternative, at least installed by default on most operating systems, for ping. The same is true for traceroute/tracert. If you needed to do some troubleshooting for problems with your domain name server, it’s easiest to use a program like nslookup or dig. There are no other tools that are GUI-based that are available by default.

Automatic task completion

The last case I will put to you, though there are several others, is the ability to complete complex tasks automatically. When we use command line programs, we can put a list of those commands together into a file and have the entire list executed. On Windows, this would be called a batch file or a PowerShell script. On Linux, it would be called a shell script. This means you can have a complete process that can be repeated verbatim, over and over again. On Linux and other Unix-like operating systems, including macOS, you can chain several commands together to perform complex operations. The ability to take the output from one command and use it as an input to another program is called piping.

Let’s take an example. The following command sequence takes the idea of piping beyond just output -> input.

ps auxww | tr -s ” ” | cut -d ” ” -f 2 | sort

This command sequence gets you a process list, which has a lot of space characters between columns, and sends the output to a program that translates characters. This particular command removes extra space characters. The output, without all the extraneous characters, goes to the program cut. This program cuts the second column (field) from the output with the space character as the delimiter between the fields. Finally, the output of that, which is the process ID, is sent to the program sort. What we end up with is a sorted list of all the process IDs.

Command line programs give you a lot of control over the information you get and how it’s presented. You can enjoy your GUI programs if you like but I will tell you that if you really want to become a knowledgeable security professional, you should get comfortable with the command line. It will be your friend and give you a lot of power while minimizing your dependence on fancy GUIs.