Welcome!

Cloud Security Authors: Elizabeth White, Maria C. Horton, Liz McMillan, Ravi Rajamiyer, Pat Romanski

Related Topics: Agile Computing, Containers Expo Blog, @CloudExpo, Cloud Security, @DevOpsSummit

Agile Computing: Blog Post

DevSecOps: When “IoC” Meets “SoC” | @DevOpsSUMMIT @Cavirin #Serverless #AI #AIOPs #DevOps #DevSecOps

It should be apparent that “infrastructure as code” and “security as code” are powerful if adopted together.

DevSecOps - When "Infrastructure as Code" Meets "Security as Code"

Not very long ago, in my IT consulting career, I used to be responsible for the launch of mission-critical applications that help enterprises leap into the cutting edge of the digital business revolution. There were a lot of hard skills required for leading such a mission that involved getting the system architecture and software design right early, mentoring and managing the engineering resources, and tracking the progress to the satisfaction of the business analysts who put together the requirements and the stakeholders who funded the projects. Those skills, while hard, were largely deterministic and manageable vs another set of skills required to ensure that the built applications come alive in production environments, and run reliably and securely thereafter. This other set of skills often pit the application developers against the infrastructure administrators and InfoSec professionals. They are also typically viewed as the "last mile" in the journey to go live with any application, and can be only be developed by understanding the following patterns that govern the dynamics of interaction:

  • Infrastructure Issues: Infrastructure capacity planning and provisioning is an inherently complex and time-consuming process. It requires long lead times in making sure the necessary and sufficient compute, storage, network capacity will be available well before the very first line of code is written for the business application. All estimates of growth in scale as well as timelines need to be forecasted well ahead of time, resulting in over-provisioning just to avoid scarcity of resources when needed. This is an antithesis to the way modern application developers operate, where speed, agility, and responding to changes are fundamental attributes.
  • Security Issues: Because there is only limited, high-level information available to the developers about the infrastructure topology on which their application will run, due to the traditional separation of development and operational team members, the "security review" is often pushed late in the development process, but still viewed as a gating requirement for production launch. This is known to cause severe friction between developers and InfoSec professionals, since, very often, the established security guidelines may require significant changes in the application architecture and design, causing delays and dismay among software architects and developers.

In both of the above issues, there is a common thread that runs through the lack of visibility, communication, and cooperation between developers, IT administrators, and InfoSec professionals. It's not hard to understand the entrenched cultural issues that block communication, as these groups tend to be traditionally operating in silos. Another way of looking at this problem is the inability of the professionals to look at the cross-domain concerns that are at play. For example, from an application developer's perspective the features he or she develops is critical for the business. However, for an operations or security person, the potential disruption a new application can cause to a smooth operation trumps any business value the new application can bring. Unless a mechanism arrives to enable such a cross-functional view, with the ability to influence a change in practices, things will remain as status-quo. Fortunately, this mechanism has arrived naturally, and is alive and thriving today as we can see below.

Infrastructure as Code
Infrastructure-as-code, alternatively known as programmable infrastructure, is the practice of provisioning and managing data center resources through software that uses the definition of resources such as compute, storage, and network in the form of machine-readable files. It uses a form of high-level programming language through which developers can automate the configuration, deployment, and management of resources, while still adhering to the style and standards of modern day software development practices. The advantages of such a methodology can't be emphasized enough as it provides independence, control, repeatability, and traceability through version control. This is the first mechanism that emerged to facilitate the understanding of the cross-domain concerns between developers and IT operations. Two fundamental shifts began to emerge with this development:

  • Developers obtain a powerful handle on the problem of hardware resources, although virtualized, with a simple interface they are familiar with: APIs and software libraries. Suddenly the deployment, and operation of hardware is simply an extension of the traditional coding exercise. As a side benefit, the developers now understand the service level requirements such as high-availability, scalability, reliability, and fail-over resulting in a new level of appreciation for the IT operations team.
  • IT administrators obtain a clear visibility into the dynamics of software engineering, the rapidity and agility that is becoming increasingly commonplace, and now acquire some development skills themselves to contribute to the programmable infrastructure. As a side benefit, they are also relieved from capacity surprises, over-provisioning of infrastructure, and change control conflicts to become truly collaborative with the developers in leveraging the "elasticity" and the "ephemeral" nature of the programmable infra-cloud.

The convergence of the two above mentioned trends is known as "DevOps," marking the advent of utilizing "infrastructure as code", as depicted by the diagram below:

Security as Code
The success of the "infrastructure as code" practice certainly provided a template for bringing the InfoSec professionals to the table as we see a pickup in momentum in discussing security requirements early in the software engineering practice. The fundamental requirement for "security as code" is the ability to achieve programmable security controls and automate the security definition, assessment, and enforcement before and after applications become live, and throughout their operational lifecycle. There are certain fundamental requirements from InfoSec professionals regarding the security of infrastructure and applications such as visibility, transparency, and repeatability of the application of security controls. The challenge is to ensure that this is possible without hindering the speed of application development as desired by the developers, particularly with the availability of infrastructure automation/DevOps platforms at their disposal, and as depicted in the figure below.

Just as in the case of programmable infrastructure described in the previous section, this also creates two fundamental shifts in the mindset:

  • InfoSec people now believe that it is possible to expect that application developers follow secure coding practices, and have a visible and automated way of assuring that by textual code analysis, code-level vulnerabilities are identified early in the development. It also became easier for the InfoSec people to enable the developers to easily utilize "security hardened," and "fully patched" platforms with mandatory security baselines on which to build the applications.
  • Developers realize that application security concerns must be "left-shifted," and be a non-negotiable acceptance criterion before promoting applications through the stages of the SDLC pipeline such as Dev, QA, Staging, and Production.

The convergence of the two above mentioned shifts is known as "SecOps," that marks the advent of "security as code" as depicted by the diagram below:

Putting It Together, aka "DevSecOps"
Based on the above arguments, it should be apparent that "infrastructure as code" and "security as code" are powerful if adopted together. There is a natural confluence of these two as depicted in the figure below, which calls for a harmonious engagement between the various roles and systems at play.

The following fundamental tenets of the DevSecOps framework and their merits are undeniable:

  • Introduce agility and speed by investing in a hardened tool chain covering the develop-test-deploy-monitor lifecycle of applications and resources.
  • Question everything by creating visibility at every stage of the Continuous Integration / Continuous Delivery (CI/CD) pipeline.
  • Bring security as a fundamental and non-negotiable acceptance criterion early in the development process, in other words, "left shift" security.
  • Suspect everything, including code, configurations, artifacts, and infrastructure, and establish security assessment as a requirement for progress through the pipeline.
  • Promote often, and promote confidently through Dev, QA, Staging, and Production.
  • And, finally automate, automate, automate.

While it is possible for enterprises to build home-grown solutions around this, it pays immensely for them to seek out solution vendors that have thought through this deeply and integrated it into the DNA of their products. There are several viable open source platforms available as well, that may require more in-house expertise in putting things together.

Essential Characteristics of a DevSecOps Oriented Security Management Platform
There are multiple options available in the market place for enterprises that are interested in establishing the DevSecOps model in their application development, deployment, and infrastructure management. While researching the suitability of any such platform, the following fundamental requirements must be kept in mind:

  • It must be programmable by exposing open APIs.
  • It must be a platform ability to integrate and coexist with the IT ecosystem.
  • It must be cloud-agnostic, and flexibly deployable across multiple infrastructure topologies.
  • It must be able to secure applications before they go live on production.
  • It must help establish a baseline security, and allow to watch continuously for drift.
  • It must support point-in-time as well event-driven, monitoring-based security assessments.
  • It must report issues truthfully, knowledgeably, and offer means of remediation.
  • It must create full-circle awareness of the operation of the pipeline through notifications.
  • It must be to support incident response mechanisms through easy integrations with other systems.

Register Today and SAVE ▸ Here

Speaking Opportunities ▸ Here

Sponsorship & Exhibit Opportunities ▸ Here

Silicon Valley Faculty ▸ Here

Silicon Valley Schedule ▸ Here

Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector.

The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.

DevOpsSUMMIT at CloudEXPO expands the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike.

At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.

As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. 

Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. 

As they do so, IT professionals are also embracing the reality of Serverless architectures, which are critical to developing and operating real-time applications and services. Serverless is particularly important as enterprises of all sizes develop and deploy Internet of Things (IoT) initiatives.

ServerlessSUMMIT at CloudEXPO to Present 50 Rockstar Speakers and 60 Serverless and Kubernetes Sessions in Three Simultaneous Tracks

Serverless and Kubernetes are great examples of continuous, rapid pace of change in enterprise IT. They also raise a number of critical issues and questions about employee training, development processes, and operational metrics.

There's a real need for serious conversations about Serverless and Kubernetes among the people who are doing this work and managing it.

So we are very pleased today to announce the ServerlessSUMMIT at CloudEXPO.

ServerlessSUMMIT at CloudEXPO to present 50 rockstar speakers, 60 sessions in three simultaneous tracks. Call for Papers Here.

The three-day event will take place June 24-26, 2019 at the Santa Clara Convention Center, Santa Clara, CA and will be colocated with CloudEXPO Silicon Valley!

Today we have announced our first 12 sessions. We are accepting speaking submissions for ServerlessSUMMIT through Friday, February 8th.

Our CloudEXPO Silicon Valley 2019 schedule showcases 200 presentations, including keynotes, technical sessions, general sessions, power panels, and hands-on tutorials presented by 150 rockstar speakers in the 10 hottest conference tracks of 2019. We are excited to add the ServerlessSUMMIT to this lineup!

Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector.

The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.

As they do so, IT professionals are also embracing the reality of Serverless architectures, which are critical to developing and operating real-time applications and services. Serverless is particularly important as enterprises of all sizes develop and deploy Internet of Things (IoT) initiatives.

Serverless and Kubernetes are great examples of continuous, rapid pace of change in enterprise IT. They also raise a number of critical issues and questions about employee training, development processes, and operational metrics.

DevOpsSUMMIT at CloudEXPO Celebrates Its 12th Event in Six Years

ServerlessSUMMIT and DevOpsSUMMIT at CloudEXPO expands the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike.

There's a real need for serious conversations about Serverless and Kubernetes among the people who are doing this work and managing it.

So we are very pleased today to announce the ServerlessSUMMIT at CloudEXPO.

At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.

CloudEXPO Has Been the M&A Capital For Cloud Companies

CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.

Our Silicon Valley 2019 schedule will showcase 200 keynotes, sessions, general sessions, power panels, and hands on tutorials presented by 150 rockstar speakers in 10 hottest conference tracks of 2019:

» CloudEXPO
» DevOpsSUMMIT
» ServerlessSUMMIT
» Kubernetes at CloudEXPO
» FinTechEXPO Blockchain
» DXWorldEXPO Digital Transformation
» AI | ML | DL | Artificial Intelligence
» Big Data | Analytics
» IoT | IIoT | Smart Cities
» Mobility | Security
» Enterprise Cloud Hot Topics

CloudEXPO Silicon Valley 2019 Show Prospectus ▸ HERE

Prospectus At-a-Glance ▸ HERE
Attendee Profile ▸ HERE
Keynote Opportunities ▸ HERE
General Session Opportunities ▸ HERE
Diamond Sponsorship Opportunity ▸ HERE
Platinum Sponsorship Opportunity ▸ HERE
Gold and Silver Sponsorship Opportunities ▸ HERE
Bronze Sponsorship and Exhibitor Packages ▸ HERE
Benefits of Exhibiting at CloudEXPO 2019 ▸ HERE

CloudEXPO is the single event where technology buyers and vendors meet to experience and discus cloud computing and all that it entails. For more than a decade, sponsors and exhibitors of CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities through our following unique tools. For more information on sponsorship, exhibit, and keynote opportunities call us at 954 242-0444 or contact us ▸ Here

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 40-minute technical session
  • Online advertising on 4,5 million article pages in SYS-CON's leading i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage
  • Unprecedented PR Coverage: Unmatched editorial coverage on Cloud Computing Journal
  • Tweetup to over 184,000 plus Twitter followers
  • Press releases sent on major wire services to over 500 industry analysts

FinTech and Blockchain Are Now Part of CloudEXPO 2019 Program

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

Accordingly, attendees at the upcoming 23rd CloudEXPO, June 24-26, 2019 at Santa Clara Convention Center in Santa Clara, CA will find fresh new content in full new FinTech & Enterprise Blockchain track.

DXWorldEXPO Showcases Cutting-Edge IoT, Artificial Intelligence, Machine Learning, and Digital Transformation

Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation. DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy.

DXWorldEXPO® has organized these issues along 10 tracks, 22 keynotes and general sessions, and a faculty of 222 of the world's top speakers.

DXWorldEXPO® has three major themes on its conference agenda:

Technology - The Revolution Continues
Economy - The 21st Century Emerges
Society - The Big Issues

Global 2000 companies have more than US$40 trillion in annual revenue - more than 50% of the world's entire GDP. The Global 2000 spends a total of US$2.4 trillion annually on enterprise IT. The average Global 2000 company has US$11 billion in annual revenue. The average Global 2000 company spends more than $600 million annually on enterprise IT. Governments throughout the world spend another US$500 billion on IT - much of it dedicated to new Smart City initiatives.

For the past 10 years CloudEXPO® helped drive the migration to modern enterprise IT infrastructures, built upon the foundation of cloud computing. Today's hybrid, multiple cloud IT infrastructures integrate Big Data, analytics, blockchain, the IoT, mobile devices, and the latest in cryptography and enterprise-grade security.

Digital Transformation is the key issue driving the global enterprise IT business. DX is most prominent among Global 2000 enterprises and government institutions.

About DXWorldEXPO LLC

DXWorldEXPO LLC is a Lighthouse Point, Florida-based trade show company and the creator of DXWorldEXPO - Digital Transformation Conference & Expo. The company produces and presents the world's most influential technology events including CloudEXPO, DevOpsSUMMIT, and FinTechEXPO.

More Stories By Ravi Rajamiyer

Dr. Ravi Rajamiyer serves as Cavirin’s vice president of engineering. He leads the engineering organization at Cavirin, where he is responsible for Cavirin’s products, services, as well as research and development. He is a seasoned software engineering professional, with a solid track record of building, mentoring and leading high-performance engineering teams. In his career, Ravi has spanned product development and R & D responsibilities at Yahoo, VMWare, and a couple of successful Silicon Valley technology startups. He has an MS from Indian Institute of Technology (IIT) Bombay, and a PhD from Washington University in St. Louis.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
LogRocket helps product teams develop better experiences for users by recording videos of user sessions with logs and network data. It identifies UX problems and reveals the root cause of every bug. LogRocket presents impactful errors on a website, and how to reproduce it. With LogRocket, users can replay problems.
Rafay enables developers to automate the distribution, operations, cross-region scaling and lifecycle management of containerized microservices across public and private clouds, and service provider networks. Rafay's platform is built around foundational elements that together deliver an optimal abstraction layer across disparate infrastructure, making it easy for developers to scale and operate applications across any number of locations or regions. Consumed as a service, Rafay's platform elimi...