A CISO and a DevOps Engineer walk into a video conference

Fastly

Mike Johnson, CISO at Fastly, and Ben Kero, Senior DevOps Engineer at Brave Software, are passionate about security, having 35 years of experience between them. Both are strong believers in secure DevOps (or DevSecOps) and have witnessed the many ways in which it enables their respective companies to secure their products and provide the best possible user experiences. While Mike is shepherding Fastly's vision for safety and compliance and partnering with our product team to build developer-friendly web application security tools, Ben is driving the culture behind the web's newest secure browser, day in and day out. Mike and Ben recently chatted about the concept of secure DevOps and how companies can make security a core part of their development pipeline. Here are some highlights:

There will be trade-offs. They will be worth it.
Implementing security measures earlier in the development process means that subsequent updates and improvements may become more labor-intensive. However, the extra time and effort are worth it when the result is a well-secured app. The Brave team practices the principle of least privilege — only giving the minimum level of access required to execute a task. Ben says there's a downside: if you change functionality later, you might "play whack-a-mole" trying to add a single new permission that a feature needs, but he also explains that this trade-off is well worth it for his team for the level of security it offers Brave's applications. It's a practice they're willing to invest in, as it's one that could potentially save their properties from costly breaches in the future.

Developer ergonomics matter.
To ensure security measures are in place earlier in the DevOps cycle, it's important that your security tools are built with developers in mind. Some of the features Ben and his team find valuable are changelogs for both fixes and new features, documentation for how to integrate your tool with various workflows, such as Travis or Terraform, and guidance (bonus point for screenshots!) of what can be achieved with a good configuration — something that helps developers envision the end goal. Developer-centric tools can also provide additional layers in a defense-in-depth security strategy. For instance, Fastly's code snippets — short blocks of VCL logic that can be included directly within configs — keep Brave's S3 buckets private.

Secure DevOps doesn't replace post-deployment security. It strengthens it.
Applying your CI/CD security learnings to your post-deployment security efforts can help your team build new efficiencies, specifically through automation. The Brave team uses a GitHub custom action that scans deployed code and sends an alert when a vulnerability is found. It even automatically opens a pull request and initiates a review. Ben finds that the best tools are those that minimize the time between finding vulnerabilities and fixing them.

An engaged community can be your secret ingredient.
Brave leverages communities to improve both their CI/CD workflow as well as their own products. To streamline their pipeline, Ben's team looks to their security vendors to find tools built by other teams that they can repurpose. On the flip side, Brave's Bug Bounty program rewards users and security researchers for finding and reporting bugs within their software —a feedback loop that not only results in a more secure application for their users but also leans into Brave's value of trust and open source ethos.

For more secure DevOps wisdom, visit the Fastly blog.

Sustaining Partners