Ship on day one
How to Secure Your DevOps Pipeline
Archis Gore, CTO of Polyverse, discusses the paradigm shift that’s shaking up security in software development.
DevOps — particularly when it comes to cloud infrastructure and containerization — is enough to keep infosec engineers up at night. Not only has the philosophy created new challenges in securing the development pipeline, it has also changed the way teams approach security itself. As Archis Gore, CTO of Polyverse points out, the focus has shifted to the application level. “Look at securing the app,” he says, “not the infrastructure.”
In this week’s episode of the Ship It Show, Gore discusses that cultural shift and the way that software and infosec engineers should adjust their approach to development. Step one? Don’t externalize security. “There’s no external actor who’s going to come in and say, ‘Just because I exist, you’re secure,’” he says. “There’s no such system.”
Instead, a team’s focus should move from control to trust. “It’s about externalizing decision making,” Gore says. “Let’s call it automated control. Give tools to other people that they can use to enforce your decisions or your ideologies or your preferences across the system.”
In other words, Gore says, the days of reducing risk through isolation have come to an end: “We need tools that are easy, that are lightweight, that everyone can use, and that stay out of your way until they’re needed.”