In talking to one of my colleagues and explaining the difference between DevOps and DevSecOps to a colleague, I came across an interesting set of Google search results.
When I google for ‘misconfigured AWS S3 bucket data breach’, I get 81,000+ results. 7 million Indian financial records exposed, 128 million US household records exposed, UK print shop exposes military documents, 845 GB of data from popular dating apps, millions Ecuadorian citizens exposed. Like the Energizer Bunny of old, it just keeps on going and going and going. The headlines show the breadth and depth of problems and they are pretty frightening since these breaches have a much large scope and scale and because they are entirely preventable.
Had there been even the most cursory security review every last one of these would have been avoidable. While I hate being pedantic, developers are now being effectively, in the DevOps model, being tasked with securing applications. I don’t blame the developers. They are ill equipped to deal with this challenge. Under the old waterfall model, security was always someone else’s responsibility and never resided with development. There has been little if any training for developers on security..
Compliance, Security, Ops, and others that have now been discarded to on the path to DevOps nirvana. The sad truth is that security is probably diametrically opposed to developers doing what developers do, which is write more code. If they are fiddling with settings and rights and all other tidbits, then they are not writing code. This makes them arguably the worst group to become the new de facto arbiters of your company’s security policy and posture.