Welcome!

Agile Computing Authors: Liz McMillan, Zakia Bouachraoui, Elizabeth White, Pat Romanski, Maria C. Horton

Related Topics: Agile Computing, Containers Expo Blog, @CloudExpo, Cloud Security, @DevOpsSummit

Agile Computing: Blog Post

DevSecOps: When “IoC” Meets “SoC” | @DevOpsSUMMIT @Cavirin #Serverless #AI #AIOPs #DevOps #DevSecOps

It should be apparent that “infrastructure as code” and “security as code” are powerful if adopted together.

DevSecOps - When "Infrastructure as Code" Meets "Security as Code"

Not very long ago, in my IT consulting career, I used to be responsible for the launch of mission-critical applications that help enterprises leap into the cutting edge of the digital business revolution. There were a lot of hard skills required for leading such a mission that involved getting the system architecture and software design right early, mentoring and managing the engineering resources, and tracking the progress to the satisfaction of the business analysts who put together the requirements and the stakeholders who funded the projects. Those skills, while hard, were largely deterministic and manageable vs another set of skills required to ensure that the built applications come alive in production environments, and run reliably and securely thereafter. This other set of skills often pit the application developers against the infrastructure administrators and InfoSec professionals. They are also typically viewed as the "last mile" in the journey to go live with any application, and can be only be developed by understanding the following patterns that govern the dynamics of interaction:

  • Infrastructure Issues: Infrastructure capacity planning and provisioning is an inherently complex and time-consuming process. It requires long lead times in making sure the necessary and sufficient compute, storage, network capacity will be available well before the very first line of code is written for the business application. All estimates of growth in scale as well as timelines need to be forecasted well ahead of time, resulting in over-provisioning just to avoid scarcity of resources when needed. This is an antithesis to the way modern application developers operate, where speed, agility, and responding to changes are fundamental attributes.
  • Security Issues: Because there is only limited, high-level information available to the developers about the infrastructure topology on which their application will run, due to the traditional separation of development and operational team members, the "security review" is often pushed late in the development process, but still viewed as a gating requirement for production launch. This is known to cause severe friction between developers and InfoSec professionals, since, very often, the established security guidelines may require significant changes in the application architecture and design, causing delays and dismay among software architects and developers.

In both of the above issues, there is a common thread that runs through the lack of visibility, communication, and cooperation between developers, IT administrators, and InfoSec professionals. It's not hard to understand the entrenched cultural issues that block communication, as these groups tend to be traditionally operating in silos. Another way of looking at this problem is the inability of the professionals to look at the cross-domain concerns that are at play. For example, from an application developer's perspective the features he or she develops is critical for the business. However, for an operations or security person, the potential disruption a new application can cause to a smooth operation trumps any business value the new application can bring. Unless a mechanism arrives to enable such a cross-functional view, with the ability to influence a change in practices, things will remain as status-quo. Fortunately, this mechanism has arrived naturally, and is alive and thriving today as we can see below.

Infrastructure as Code
Infrastructure-as-code, alternatively known as programmable infrastructure, is the practice of provisioning and managing data center resources through software that uses the definition of resources such as compute, storage, and network in the form of machine-readable files. It uses a form of high-level programming language through which developers can automate the configuration, deployment, and management of resources, while still adhering to the style and standards of modern day software development practices. The advantages of such a methodology can't be emphasized enough as it provides independence, control, repeatability, and traceability through version control. This is the first mechanism that emerged to facilitate the understanding of the cross-domain concerns between developers and IT operations. Two fundamental shifts began to emerge with this development:

  • Developers obtain a powerful handle on the problem of hardware resources, although virtualized, with a simple interface they are familiar with: APIs and software libraries. Suddenly the deployment, and operation of hardware is simply an extension of the traditional coding exercise. As a side benefit, the developers now understand the service level requirements such as high-availability, scalability, reliability, and fail-over resulting in a new level of appreciation for the IT operations team.
  • IT administrators obtain a clear visibility into the dynamics of software engineering, the rapidity and agility that is becoming increasingly commonplace, and now acquire some development skills themselves to contribute to the programmable infrastructure. As a side benefit, they are also relieved from capacity surprises, over-provisioning of infrastructure, and change control conflicts to become truly collaborative with the developers in leveraging the "elasticity" and the "ephemeral" nature of the programmable infra-cloud.

The convergence of the two above mentioned trends is known as "DevOps," marking the advent of utilizing "infrastructure as code", as depicted by the diagram below:

Security as Code
The success of the "infrastructure as code" practice certainly provided a template for bringing the InfoSec professionals to the table as we see a pickup in momentum in discussing security requirements early in the software engineering practice. The fundamental requirement for "security as code" is the ability to achieve programmable security controls and automate the security definition, assessment, and enforcement before and after applications become live, and throughout their operational lifecycle. There are certain fundamental requirements from InfoSec professionals regarding the security of infrastructure and applications such as visibility, transparency, and repeatability of the application of security controls. The challenge is to ensure that this is possible without hindering the speed of application development as desired by the developers, particularly with the availability of infrastructure automation/DevOps platforms at their disposal, and as depicted in the figure below.

Just as in the case of programmable infrastructure described in the previous section, this also creates two fundamental shifts in the mindset:

  • InfoSec people now believe that it is possible to expect that application developers follow secure coding practices, and have a visible and automated way of assuring that by textual code analysis, code-level vulnerabilities are identified early in the development. It also became easier for the InfoSec people to enable the developers to easily utilize "security hardened," and "fully patched" platforms with mandatory security baselines on which to build the applications.
  • Developers realize that application security concerns must be "left-shifted," and be a non-negotiable acceptance criterion before promoting applications through the stages of the SDLC pipeline such as Dev, QA, Staging, and Production.

The convergence of the two above mentioned shifts is known as "SecOps," that marks the advent of "security as code" as depicted by the diagram below:

Putting It Together, aka "DevSecOps"
Based on the above arguments, it should be apparent that "infrastructure as code" and "security as code" are powerful if adopted together. There is a natural confluence of these two as depicted in the figure below, which calls for a harmonious engagement between the various roles and systems at play.

The following fundamental tenets of the DevSecOps framework and their merits are undeniable:

  • Introduce agility and speed by investing in a hardened tool chain covering the develop-test-deploy-monitor lifecycle of applications and resources.
  • Question everything by creating visibility at every stage of the Continuous Integration / Continuous Delivery (CI/CD) pipeline.
  • Bring security as a fundamental and non-negotiable acceptance criterion early in the development process, in other words, "left shift" security.
  • Suspect everything, including code, configurations, artifacts, and infrastructure, and establish security assessment as a requirement for progress through the pipeline.
  • Promote often, and promote confidently through Dev, QA, Staging, and Production.
  • And, finally automate, automate, automate.

While it is possible for enterprises to build home-grown solutions around this, it pays immensely for them to seek out solution vendors that have thought through this deeply and integrated it into the DNA of their products. There are several viable open source platforms available as well, that may require more in-house expertise in putting things together.

Essential Characteristics of a DevSecOps Oriented Security Management Platform
There are multiple options available in the market place for enterprises that are interested in establishing the DevSecOps model in their application development, deployment, and infrastructure management. While researching the suitability of any such platform, the following fundamental requirements must be kept in mind:

  • It must be programmable by exposing open APIs.
  • It must be a platform ability to integrate and coexist with the IT ecosystem.
  • It must be cloud-agnostic, and flexibly deployable across multiple infrastructure topologies.
  • It must be able to secure applications before they go live on production.
  • It must help establish a baseline security, and allow to watch continuously for drift.
  • It must support point-in-time as well event-driven, monitoring-based security assessments.
  • It must report issues truthfully, knowledgeably, and offer means of remediation.
  • It must create full-circle awareness of the operation of the pipeline through notifications.
  • It must be to support incident response mechanisms through easy integrations with other systems.

Register Today and SAVE ▸ Here

Speaking Opportunities ▸ Here

Sponsorship & Exhibit Opportunities ▸ Here

Silicon Valley Faculty ▸ Here

Silicon Valley Schedule ▸ Here

Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector.

The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.

DevOpsSUMMIT at CloudEXPO expands the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike.

At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.

As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. 

Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. 

As they do so, IT professionals are also embracing the reality of Serverless architectures, which are critical to developing and operating real-time applications and services. Serverless is particularly important as enterprises of all sizes develop and deploy Internet of Things (IoT) initiatives.

ServerlessSUMMIT at CloudEXPO to Present 50 Rockstar Speakers and 60 Serverless and Kubernetes Sessions in Three Simultaneous Tracks

Serverless and Kubernetes are great examples of continuous, rapid pace of change in enterprise IT. They also raise a number of critical issues and questions about employee training, development processes, and operational metrics.

There's a real need for serious conversations about Serverless and Kubernetes among the people who are doing this work and managing it.

So we are very pleased today to announce the ServerlessSUMMIT at CloudEXPO.

ServerlessSUMMIT at CloudEXPO to present 50 rockstar speakers, 60 sessions in three simultaneous tracks. Call for Papers Here.

The three-day event will take place June 24-26, 2019 at the Santa Clara Convention Center, Santa Clara, CA and will be colocated with CloudEXPO Silicon Valley!

Today we have announced our first 12 sessions. We are accepting speaking submissions for ServerlessSUMMIT through Friday, February 8th.

Our CloudEXPO Silicon Valley 2019 schedule showcases 200 presentations, including keynotes, technical sessions, general sessions, power panels, and hands-on tutorials presented by 150 rockstar speakers in the 10 hottest conference tracks of 2019. We are excited to add the ServerlessSUMMIT to this lineup!

Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector.

The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.

As they do so, IT professionals are also embracing the reality of Serverless architectures, which are critical to developing and operating real-time applications and services. Serverless is particularly important as enterprises of all sizes develop and deploy Internet of Things (IoT) initiatives.

Serverless and Kubernetes are great examples of continuous, rapid pace of change in enterprise IT. They also raise a number of critical issues and questions about employee training, development processes, and operational metrics.

DevOpsSUMMIT at CloudEXPO Celebrates Its 12th Event in Six Years

ServerlessSUMMIT and DevOpsSUMMIT at CloudEXPO expands the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike.

There's a real need for serious conversations about Serverless and Kubernetes among the people who are doing this work and managing it.

So we are very pleased today to announce the ServerlessSUMMIT at CloudEXPO.

At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.

CloudEXPO Has Been the M&A Capital For Cloud Companies

CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.

Our Silicon Valley 2019 schedule will showcase 200 keynotes, sessions, general sessions, power panels, and hands on tutorials presented by 150 rockstar speakers in 10 hottest conference tracks of 2019:

» CloudEXPO
» DevOpsSUMMIT
» ServerlessSUMMIT
» Kubernetes at CloudEXPO
» FinTechEXPO Blockchain
» DXWorldEXPO Digital Transformation
» AI | ML | DL | Artificial Intelligence
» Big Data | Analytics
» IoT | IIoT | Smart Cities
» Mobility | Security
» Enterprise Cloud Hot Topics

CloudEXPO Silicon Valley 2019 Show Prospectus ▸ HERE

Prospectus At-a-Glance ▸ HERE
Attendee Profile ▸ HERE
Keynote Opportunities ▸ HERE
General Session Opportunities ▸ HERE
Diamond Sponsorship Opportunity ▸ HERE
Platinum Sponsorship Opportunity ▸ HERE
Gold and Silver Sponsorship Opportunities ▸ HERE
Bronze Sponsorship and Exhibitor Packages ▸ HERE
Benefits of Exhibiting at CloudEXPO 2019 ▸ HERE

CloudEXPO is the single event where technology buyers and vendors meet to experience and discus cloud computing and all that it entails. For more than a decade, sponsors and exhibitors of CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities through our following unique tools. For more information on sponsorship, exhibit, and keynote opportunities call us at 954 242-0444 or contact us ▸ Here

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 40-minute technical session
  • Online advertising on 4,5 million article pages in SYS-CON's leading i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage
  • Unprecedented PR Coverage: Unmatched editorial coverage on Cloud Computing Journal
  • Tweetup to over 184,000 plus Twitter followers
  • Press releases sent on major wire services to over 500 industry analysts

FinTech and Blockchain Are Now Part of CloudEXPO 2019 Program

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

Accordingly, attendees at the upcoming 23rd CloudEXPO, June 24-26, 2019 at Santa Clara Convention Center in Santa Clara, CA will find fresh new content in full new FinTech & Enterprise Blockchain track.

DXWorldEXPO Showcases Cutting-Edge IoT, Artificial Intelligence, Machine Learning, and Digital Transformation

Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation. DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy.

DXWorldEXPO® has organized these issues along 10 tracks, 22 keynotes and general sessions, and a faculty of 222 of the world's top speakers.

DXWorldEXPO® has three major themes on its conference agenda:

Technology - The Revolution Continues
Economy - The 21st Century Emerges
Society - The Big Issues

Global 2000 companies have more than US$40 trillion in annual revenue - more than 50% of the world's entire GDP. The Global 2000 spends a total of US$2.4 trillion annually on enterprise IT. The average Global 2000 company has US$11 billion in annual revenue. The average Global 2000 company spends more than $600 million annually on enterprise IT. Governments throughout the world spend another US$500 billion on IT - much of it dedicated to new Smart City initiatives.

For the past 10 years CloudEXPO® helped drive the migration to modern enterprise IT infrastructures, built upon the foundation of cloud computing. Today's hybrid, multiple cloud IT infrastructures integrate Big Data, analytics, blockchain, the IoT, mobile devices, and the latest in cryptography and enterprise-grade security.

Digital Transformation is the key issue driving the global enterprise IT business. DX is most prominent among Global 2000 enterprises and government institutions.

About DXWorldEXPO LLC

DXWorldEXPO LLC is a Lighthouse Point, Florida-based trade show company and the creator of DXWorldEXPO - Digital Transformation Conference & Expo. The company produces and presents the world's most influential technology events including CloudEXPO, DevOpsSUMMIT, and FinTechEXPO.

More Stories By Ravi Rajamiyer

Dr. Ravi Rajamiyer serves as Cavirin’s vice president of engineering. He leads the engineering organization at Cavirin, where he is responsible for Cavirin’s products, services, as well as research and development. He is a seasoned software engineering professional, with a solid track record of building, mentoring and leading high-performance engineering teams. In his career, Ravi has spanned product development and R & D responsibilities at Yahoo, VMWare, and a couple of successful Silicon Valley technology startups. He has an MS from Indian Institute of Technology (IIT) Bombay, and a PhD from Washington University in St. Louis.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.