As Vice President of Information Security at
"We’ll give different practitioners the freedom to do what they want to do. But it’s their responsibility to do it to a certain standard. And so my security tools have to be in lockstep with that. My tools can’t block them from the freedom that is a core tenant of Netflix.”
Benefit of DevSecOps
And his organization uses the DevSecOps methodology to make things work for everyone: developers and programmers, security, and business operations.
We interviewed Sanders at SecureWorld Bay Area (where he serves on the Advisory Council) about this DevSecOps approach and why he suggests getting started right now if you plan to implement the methodology during 2019.
Watch our brief interview or see excerpts below:
[SW] How do describe DevSecOps?
[Sanders] “We like to say rails without barriers. In the past, we’d do a model, a waterfall model for a lot of security executives, where we’d stop it if we saw a vulnerability in the code.
With a rails aspect of it, for certain minor vulnerabilities, you let it go because you iterate faster.
So you’re working with the developers to develop it faster, instead of telling them they can only develop and push code once every month or every two months. Let them develop and push the code as fast as they want, or is reasonably possible, to push quality code while having security embedded into it."
[SW] What would you say to security leaders who are thinking about the DevSecOps approach?
[Sanders] "It’s always today to start it and not tomorrow 'to think about it.' Because every day you wait, your developers are already doing their sprint cycles. Your executives probably understand that.
It is security that may not be in line with the business. And if you’re not in line with the business, either they’ll find somebody who is or the code that gets released will not be in line with security."
How do you define DevSecOps?
DevSecOps, simply put, is the integration of security and related best practices into the continuous deployment pipeline to include security throughout the product lifecycle.
And it requires communication between groups that previously might not have connected until the later stages of the development process. It can also lead to mutually agreeable areas of automation.
This is something Sanders and other security leaders are increasingly talking about at SecureWorld conferences across North America. Here's why he believes in CISO collaboration:
“Now groups are getting together, we’re at SecureWorld and we’re teaming up to utilize our network and a common core set of tools.”