DevOps has morphed significantly since its inception. Before, continuous delivery was prioritized over proper security. Development security practices require a collective approach where everyone contributes. We talked with cloud native cybersecurity company, Twistlock, to learn their 2019 expectations of developers and security.
Last year, Twistlock predicted that developers would become more ingrained in the security element, specifically the CI processes. How did this shape out in 2018 and what can we expect as we move into 2019? What have you heard differently from developers?
John Leon, VP of Business Development & Strategic Alliances
DevOps to DevSecOps… It has become clear that the most successful enterprises effectively leverage technology for competitive advantage. They have created an organizational environment that balances speed of delivery with a cross-team responsibility for security. This trend will accelerate and become best practice in the enterprise as well as work its way into the mid-market. Development teams have a better understanding of the tools available to effectively build, ship, run, and secure application code. In the security side of the house as well.
Ben Bernstein, CEO
The process of developers being more ingrained in the security element is taking shape. Companies like JFrog, who developers know and love, are very successfully pitching the importance of hygiene of software, about how important it is to keep software up to date. Developers seem to pick on that. It’s amazing to see that JFrog is now valued at more than a billion dollars, based chiefly on how well developers understand that message.
John Morello, CTO
This prediction played out pretty much as expected. In the early days, we had to do a lot of evangelism about the value in having security embedded in the development process. Today, though, we don’t have to explain that, not only to customers already get it, they’re usually asking for help doing it. The big shift is that most savvy developers realize that embedding security early actually makes their jobs easier so there’s a personal motivation to do it, beyond the obvious security advantages.
Dima Stopel, VP of R&D and Co-Founder
I think this trend exists indeed and it is very clear. Two forces push in this direction: first is that as part of the DevOps movement developers do more than just the development itself. They are in charge of the deployment and production environment as well. As part of this effort, they must be aware of security threats and be proactive to ensure a secure application. The second force is that security teams understand that their only way to reach good application security is through developers. They use application security tools to assess the security level of different applications but they must work with dev to fix discovered problems. For example, Twistlock’s Jenkins plugin that enforces only clean images being built and reports found issues to the developer that submitted the change, is one of the most popular features in Twistlock.