“Cybersecurity is a software “arms race” between companies managing IT and software infrastructures that protect sensitive data and bad actors who create infrastructure and software to break through those protections.”
– Dr. Mik Kersten, Project to Product: How To Survive and Thrive in Age of Digital Disruption with the Flow Framework™
The RSA Conference (March 4-8, 2019) kicks off today in San Francisco, serving as a timely and important reminder of the criticality of securely building products in an increasingly unsafe digital world. With DevOps security becoming a bigger and bigger topic by the day, the practice even has its own acronym and parallel show, DevOps Connect: DevSecOps Day (March 4, 2019).
With security breaches on the rise, up 75 percent in just two years, enterprises must look to bring security activities closer to the ideation and creation stages of the software delivery value stream if they’re to avoid the fate of Equifax and the like. As Robin Yeman of Lockheed Martin drummed home during her session at Tasktop Connect 2018, “security used to be out of the equation [in software delivery], now it must be part of the product lifecycle.”
Home truths from the Equifax scandal
2017 was more than a simple “wake-up call” about digital security in the Age of Software – it was a wrecking ball through the windows of every business leader worldwide. Nobody wants to lose their job and end up being schooled in Congress like former Equifax CEO, Richard Smith – especially for something they typically seem to consider to be “an IT problem” (Smith blamed the whole mess on a single software developer).
It is this breach-related story alongside many others – vulnerabilities at Home Depot, Target, JP Morgan Chase etc. have led to hundreds of millions of accounts being hacked – that cuts to the very heart of the issue. The business wants to digitally transform to ensure their survival, but as our CEO Dr. Mik Kersten laments in a DevOps Digest podcast, “leaders of these companies are not understanding that they have an organizational responsibility to managing their IT stack. That stack is how they’re delivering value to their customers and how they’re exposing their customers’ data or safety.”
The cold hard truth is that IT security is neither a business or IT leader responsibility, it’s an organizational responsibility. As John Esser, Senior Director of IT and Data Center Operations at AdvancedMD emphasizes in the same podcast, it “was truly an organizational failure all the way up and all the way down. Any security auditor would pick up on these things in a basic audit – how long was some auditor saying, ‘We have a problem’?”
What’s more, this risk – alongside critical defects – are items that can be easily managed within the production system as long as they’re prioritized alongside new features and technical debt (as explained in Mik Kersten’s book Project to Product and the pioneering Flow Framework™).
Given the dire consequences that we’ve seen, risk and security must not be compromised in favor of speed-to-market and/or sparkling new features. It doesn’t matter how great a product is, or that you’re the first to release a new feature, if it leaks customer data like a sieve. By treating risk items as a major component of a product value stream, business leadership can safeguard their business and innovate more safely.
Mitigating risk and security in the value stream through integration
A key part of managing security risk and defects is being able to see them; you can’t fix what you can’t see (at least not until it’s too late). And that’s not easy to do in enterprise software. The bigger the application, the larger its attack surface. Auditing has never seemed so much like building a house of cards in the wind.
As systems scale to serve more customers and Cloud adoption continues to drive everything online, it can often feel like trying to spot an assassin in a sea of people. But what if we could put a bright pink hat on them to follow them through the crowd? Well, Value Stream Integration does just that. By connecting all tools involved in the planning, building and delivering of software – including Application Security tools like our close partner WhiteHat (Booth 1459, RSA) – we make invisible knowledge work (and dangerous byproducts) visible and easier to address.
By integrating Agile Planning tools with WhiteHat and other tools in the value stream, everyone has real-time visibility into red flag issues as they arise. Faster detection, faster resolution without all that slow, cumbersome and error-prone manual work through spreadsheets, tool-switching, email threads and so on. Given what happened at Equifax, do you really want to test fate with such a porous, quicksand approach? Automation through Value Stream Integration is a godsend in that respect.
Patrick Kennedy Anderson is Content & Editorial Manager at Tasktop. He is a storyteller with 10+ years’ experience in copywriting, marketing communications & PR in Europe & North America for corporate, SMEs, startups, & non-profit organizations in software, tech, sports, exhibitions, architecture & design. He is an aficionado for the Project to Product movement.