Why You Need to Take Security and DevOps Seriously: An Interview with Jeff Payne

[interview]
Summary:
In this interview, Jeff Payne, the CEO and cofounder of Coveros, explains why major companies just aren’t that good at security. He discusses how you can better protect your business, as well as why DevOps can and should be a key to your success.

Jennifer Bonine: All right, we are back with more virtual interviews. Hopefully all of you out there are still checking us out and watching. So I'm excited to be here with Jeff. Jeff, good to have you again.

Jeff Payne: Nice to be here.

Jennifer Bonine: To talk about all the exciting and interesting things that happen in our world, right?

Jeff Payne: Yes, lots of exciting things happening.

Jennifer Bonine: Exactly.

Jeff Payne: This isn't a political show, is it?

Jennifer Bonine: No, no.

Jeff Payne: Just checking.

Jennifer Bonine: Can we talk about that? Is that allowed? I'm not sure. So maybe what we could talk about to start—because again, we talk a lot about security and the implications of that, and being in that space and knowing about how you should take care of that ahead of when badness happens would be a good thing. So why don't you tell us a little bit your take on some of the recent events in the news around some major players?

Jeff Payne: Major players.

Jennifer Bonine: Yeah. Major players like Equifax.

Jeff Payne: Yeah, like Equifax. Yeah, let's talk about them.

Jennifer Bonine: So maybe a little bit your thoughts on companies like that and their level of responsibility, or for folks out there that work for companies, their level of responsibility to the consumer that they are serving at the end of the day and their information.

Jeff Payne: I'm amazed that we're this bad at security.

Jennifer Bonine: Right?

Jeff Payne: What happened there, just from what I read, it was something that was so easy to prevent, so easy to fix, and all they can do is make excuses. I read the thing from their seventh testimony or whatever it was, and I think I tweeted out, "I wish I was there." Because I would have loved to have asked some real questions, because the former CEO was dancing all around, and the answers he gave were pathetic, in my view. There was no excuse for what happened at Equifax. There are automated tools out there that will find that, they will thwart and block those kinds of things from going to production if you set them up in the DevOps pipeline, for instance. There's open source tools, there's commercial tools.

That kind of level of—I won't call it incompetence, but just bad security practices, just astounds me because it's so simple, it's so easy to prevent.

Jennifer Bonine: Do you think, I mean, kind of your perspective on this, do you think it's companies just taking it like insurance, like if nothing bad happens I don't want to spend the money, right? But as soon as something bad happens, the implication of what they're going to pay out and what this will cost them, it's massive. Not to mention consumer confidence in their brand.

Jeff Payne: Absolutely.

Jennifer Bonine: You know that brand confidence. What you've seen before, obviously, working with a lot of companies around security, prevention, taking the steps, what do you think was going through their mind? When people don't do it, to your point, it's not that hard, there are things you can do if you choose to do it. What have you seen blocking companies or making them not take the steps they should that are available to them?

Jeff Payne: I think part of it is the insurance mentality. They just don't think it will happen to them, and they're not going to really worry about it until it does happen to them. Then it's too late for consumers, right?

Jennifer Bonine: It's way too late.

Jeff Payne: Security, to me, is getting as important as safety-critical types of applications. You don't see, in general, companies that provide pacemakers, avionics software, or nuclear reactors. They take assurance to another level because they understand that it can never fail. Security is getting to that point in my opinion, and a lot of these companies have bobbed and weaved and danced around the problems and skated through, but now we're starting to see CEOs get fired and other things happen.

Jennifer Bonine: Or should go jail.

Jeff Payne: Well, they should.

Jennifer Bonine: I mean, they should be held accountable from a legal perspective.

Jeff Payne: The organization should be held accountable all the way up to the top. Until it's that serious and taken that serious, we're going to keep having these issues, because there's a lot of people putting their heads in the sand and just not doing what they know needs to be done because they either don't want to spend the money or they figure, well, we'll get away with it, or whatever. It's ridiculous.

Jennifer Bonine: Doesn't that beg the question, right, so you mentioned a couple of things like, around, we have quite a bit of regulation around Med Device, we have quite a bit of regulation around FDA. Why don't we have regulation that says if you have consumers' data and information, there's minimum standards you have to meet and be validated against from a security perspective to protect their data?

Jeff Payne: It's coming.

Jennifer Bonine: It should, right? I really think it should. This should be a call out there for all of the consumers saying, how can you keep doing this? Like, it's not the first time we've seen it. Every year when you and I chat it seems like there's a major issue.

Jeff Payne: Another company to talk about.

Jennifer Bonine: Right. It's Home Depot, it's Target Corporation. These are not small players. These are big companies that are having issues, and then there's all the ones that are smaller that we probably don't hear as much about. But there are steps that can you take in, and one of the things I think too, just from the perspective of all the folks watching, is get educated. Like, everyone should be educated to start asking the questions and raising the issue. No one should be immune from saying, hey, did we look at this, is this part of our plan? Do we have a plan to address it, are we talking about it? Because looking at, testers kind of have that voice of the consumer, they should be raising the flag. So, get educated on it.

Where are some good places to go? Like people are saying, hey, I just don't even know where to start with security and security testing, and that seems scary. It's kind of like one of those things that are like, oh, performance, automation, security. "Those all seem terrifying, what do I do?"

Jeff Payne: Yeah, yeah. A couple suggestions. I do a security testing tutorial—I do it here at the conference, I do it at other places. And one of the resources I really like is OWASP, Open Web Application Security Project, owasp.org. They have a litany of information about security testing, free tools you can use to get started, tutorials on how to learn how to do better security testing.

To me, everybody in the testing community should be learning how to look for security vulnerabilities. They're that important, it ought to be integrated in with all of our other testing. It should not be something that is only done by some other group right at the end of the lifecycle. That doesn't work in DevOps, it doesn't work in agile. We've got to work to fix that.

So that's one place, obviously. I write and speak a lot on it, obviously. There's lots of stuff out there I've written people can look at, too. So they can access that stuff as well as others.

Jennifer Bonine: Yeah. So go take a look. What I would recommend and would love your thoughts on, but everyone should have a minimum level of knowledge on it. If you're a tester and you're in a testing profession, do not bury your head in the sand and say, "It's not my job, we have a security group or a compliance group or some group that does something." Getting some base level of education, I think, would benefit all of us.

Jeff Payne: It's good for your resume, too.

Jennifer Bonine: Yeah.

Jeff Payne: Right? The word "security" is a good thing to have on your resume just like "DevOps" is right now, so why not take advantage of that.

Jennifer Bonine: Leading us into another topic, though: DevOps, right. So for a couple years we've been talking DevOps. What are you seeing now on, you know, there's lifecycles of topics or things that people are investing in. Where do you think we're at right now on this DevOps lifecycle of ... Do people really get it? Do we understand what it is yet?

Jeff Payne: It's still in the pilot phase for most organizations, I'd say. I mean, there's certainly the companies that you read about all the time that are doing continuous delivery and continuous deployment, all that stuff, and have been doing it for a long time, but they're on the leading edge. There's a lot of people that are just getting going, particularly those that have kind of, you know, industrial-strength legacy types of applications.

I heard a lot yesterday. I gave a half day tutorial on DevOps here, and we do a two-day course on it. It's always interesting to hear the questions because it gives me an idea of who's dealing with what, whereas a couple years ago it was a lot of questions about just getting a baseline set of tools in place and starting to automate. I heard a lot of questions yesterday that were all around the real hard problems: "I've got legacy systems, mainframe systems ..."

Jennifer Bonine: "How do I do that?"

Jeff Payne: "My data is only in production. How do I manage that data? If I'm going to test in a production-like environment but I don't want to use production data because of privacy issues, what are my options and alternatives, how do I virtualize that?" Service virtualization came up. We talked a lot about microservices, which is a big push these days for modernization. People are struggling with real hard issues now about, how do I actually make this work, which is good because it means they're getting into it.

Jennifer Bonine: Yeah, that they're getting more mature. So we've gone beyond just the, what tools do I need and what should I do to get started.

Jeff Payne: "Tools are going to solve all my problems."

Jennifer Bonine: Exactly. And now they're actually using it and going, okay, here's my challenges, using this and how does this work. Are you seeing, so again, that's a good question, and some folks out there are saying, "I work in an organization that has monoliths of old legacy stuff that we have to maintain and we haven't been able to go to microservices, and we're struggling with how we've only got data in production." Any good places to start for people like that to get going, as opposed to just being blocked and stopped and just saying, okay, throw up your hands, I'm done, we can't do it, it's not possible?

Jeff Payne: It certainly is possible. We've built DevOps pipelines at Coveros for customers that are using legacy systems. It is possible. It is most definitely harder than if you're a startup, green field, everything's in the cloud. Of course it's harder, but it most definitely can be done. There's good resources, and if you follow any of Gene Kim's stuff, he wrote The Phoenix Project, he does a lot ...

Jennifer Bonine: Great book, by the way.

Jeff Payne: I love that book.

Jennifer Bonine: That is a great book, for those of you that haven't read The Phoenix Project, amazing book, everyone should read, a quick read, too.

Jeff Payne: Yeah, it's easy. It's a parable, so it's fun to read too, it's actually interesting, unlike many technical books.

Jennifer Bonine: Yeah, they get boring. They put you to sleep, this will not. It's a good read.

Jeff Payne: So that's a good place to start. I was just offering up to the people that went to my tutorial, we've written a couple of papers, white papers, and given a couple presentations on how do you get going with legacy systems and DevOps. I'm happy to send them to anybody that wants them. Just hit me up on Twitter.

Jennifer Bonine: Okay. So how do they find you on Twitter?

Jeff Payne: @jefferyepayne. That's my Twitter handle, look for me. Or [email protected]. I'll send you whatever we have on it as well, and there's a devops.com organization that has a lot of resources there as well and reports on what people are doing. One of the nice things I like about, there is now a State of DevOps report that comes out every year, and it has lots of stats on what people are doing and what people are successful and good information you can use to combat management who might be saying, "This can't be done" or "Oh, test automation, nobody's really doing it" or "The people that are doing DevOps, they move real fast, but their quality is bad." A lot of myths that just aren't true.

Jennifer Bonine: So helping get some data and some information.

Jeff Payne: Exactly. Case studies stuff.

Jennifer Bonine: Finding that so that you can combat some of that. So good places to look. So we've covered a little bit on security, a little bit on DevOps for folks that are out there, and then one other interesting thing that you do here is the Leadership Summit, which takes place on Friday, so at the end of this week. I know we always talk about what do we think is going to be hot, and you guys have a real nice way of customizing the summit based on what's keeping people up at night as leaders and gathering that information in real time from the folks who are going to attend. So any predictions on what Friday will hold?

Jeff Payne: I've learned that predicting what ...

Jennifer Bonine: The future holds?

Jeff Payne: For this group, I've learned it's impossible, because every time I see a trend like, oh, we're going to see more of that, then it just completely disappears the next time. It bobs and weaves. It's interesting what people are worried about, what keeps them up. It's the question we ask: As a leader, what keeps you up at night? And the responses you get really vary year to year. And there are some that are always the same, but you always hear how do I motivate my staff, how do I find good people, how do I grow my people, how do I do more with less? Those kinds of things.

But the specific things like, they're worried about transitioning to agile or they're worried about offshore and dealing with distributed teams. Those are the things that kind of ebb and flow. Sometimes they're hot and everybody wants to talk about it, sometimes they're not on the agenda, and it's interesting.

Jennifer Bonine: It is interesting to see what will come up then. Have you seen a trend at all, I guess, in those leadership summits about more people worrying about things like security, because that one just comes so top of mind for me, not being someone who came from that space. But you see all the fallout and it is so damaging in terms of a company. Have you seen any more people wanting to talk about that?

Jeff Payne: No. Never once has security come up at the Leadership Summit. Isn't that funny?

Jennifer Bonine: That blows my mind. I really does, honestly, it does. I think as leaders, all the way up and down in an organization right now, you should be worried. I was worried years ago when we started seeing it. When you think of it, it almost to me feels like it's not a matter of if it's when you're hit. Because they can get into anyone. I mean, they've gotten into Disney, they've gotten into Sony. Major companies that thought they were protecting themselves very well.

Jeff Payne: I always tell everybody in the security testing tutorial that security is an arms race. You're never going to be perfectly secure. And really your goal is just to get the hacker to go somewhere else.

Jennifer Bonine: Right. Where it's too hard. Like, just make it hard enough ...

Jeff Payne: Hard enough that they go to your neighbors. The other credit bureaus, they must have, like, took that to heart and they got everybody to go to Equifax, right?

Jennifer Bonine: Right, exactly.

Jeff Payne: That's what you want to do. That's what you do on your street, right, you keep the lights on, you have a dog, car in the driveway.

Jennifer Bonine: Just don't be the most vulnerable.

Jeff Payne: Yeah. Just don't be that little house that's dark and bushes around the window.

Jennifer Bonine: Leaves the doors open.

Jeff Payne: Those are the people who are going to get attacked. You do the same thing online. Just get them to your neighbors.

Jennifer Bonine: Yeah, that's all you've got to do, right? I mean, really, honestly.

Jeff Payne: That's a really low bar actually, it's a low bar.

Jennifer Bonine: But at a simple level, just don't be the one that's easiest to get into. It's kind of like, don't be the slowest guy in the group when you're being chased by a bear.

Jeff Payne: Because the reality is, if they want to get in, they'll get in.

Jennifer Bonine: Yeah, absolutely.

Jeff Payne: If somebody wants to invest tons of money, as we've seen from kind of state-sponsored cyber attacks, right?

Jennifer Bonine: Oh yeah, where governments are sponsoring it.

Jeff Payne: They can get in. The reality is usually hackers are just looking for the easiest place to go, and you just don't want to be the easiest place.

Jennifer Bonine: No. Good tip. All right, we are already out of time, it always goes so fast. But Jeff, thanks for being here with me.

Jeff Payne: Yes, thank you very much. Enjoyed it.

Jennifer Bonine: If you want to hear more, you know where to find Jeff. Look him up on his Twitter handle or at coveros.com, they can find you there?

Jeff Payne: Yes.

Jennifer Bonine: Thanks, guys, we'll have another interview shortly.

Jeff PayneJeffery Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods.  Since its inception in 2008, Coveros has become a market leader in secure agile principles while being recognized by Inc. Magazine as one of the fastest growing private companies in the country.  Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc., a market leader in software security consulting.  Mr. Payne has published over 30 papers on software development and testing as well as testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, and software quality.

About the author

Upcoming Events

Nov 04
Apr 28
Jun 02