As cybersecurity threats continue to mount, it can be challenging for software teams to keep up. Fortunately, new approaches to managing risk and bridging traditional gaps between IT and security are also evolving to meet changing needs and bring innovation to cybersecurity. One such approach that is making a large impact in the industry today is DevSecOps.
DevSecOps is a growing movement that seeks to embed security in every part of the development process. Implementing DevSecOps means baking in security controls and processes early in the DevOps workflow, rather than being applied–or worse, retrofitted on–at the end.
SourceForge recently caught up with Robert Hawk, the Information Security Lead at xMatters, to talk about DevSecOps and how teams can adopt a DevSecOps approach within the organization. Hawk also discusses xMatters is helping businesses succeed in DevSecOps.
Q: Can you please give us a brief overview of xMatters? What are the company’s mission and vision, and what solutions do you offer?
Robert Hawk, Information Security Lead at xMatters
A: xMatters is a collaboration and communication orchestration company that aids in the collaboration and communication among systems and people as well as with systems to people. We have some very interesting stuff going on in the IT ecosystem: our market wants to be able to exchange relevant data between key systems while engaging the right people to resolve issues. We like to say that we provide a “just in time” communication service between systems, and especially to human beings. Think of what we provide as a relevant engine. Some call it AI, while we call it a mechanism between systems so that these systems can communicate with each other and with human beings when necessary.
Our main focus is on IT management and business continuity. Whatever system it is, we provide integrations that can pick up the support ticket related to a specific issue, and then find the most relevant human being to route it to by logic embedded in the system. This way, communication doesn’t just go to the ether. This way and with this channel of communication, users can easily acknowledge the ticket or skip it, and the system can naturally escalate the ticket up the communication ladder.
That’s where the system gets more intelligent…it can push the required communication out, and not just into the ether but in a roundabout fashion where people are easily notified. It is a very intelligent way of getting eyes on something. Prior to, this problem ticket could take hours to get seen and get addressed…but xMatters can do that within a very short time frame.
In regards to our business continuity management side, we allow our customers to craft one message, target a location, hit send, and then that message will be pushed received within minutes to half hour block, and you will know and see whether or not the recipients responded. You can even view saturation with our solution. Our system can easily do something like this instead of the need to craft and send out mass amounts of emails, SMS, or voicemails.
Q: Tell us more about DevSecOps. What are its goals and how does it differ from DevOps?
A: DevOps is the idea of bringing IT together, and it came about because prior to DevOps, people were simply building code and/or systems and essentially throwing a grenade over the wall to have other people make it work. This is why systems would fall and companies would suffer: stakeholders and clients and regulators had too many gaps and lost information.
The most important thing with DevOps is developers finally working in teams with the operations people to build, promote, operate, and code.
But what about a private security team? This new world is amazing and engaging, but there are also privacy and compliance regulations…and you can’t have privacy without security. So now everyone is focused on delivering privacy compliance. And how do you do this? Make sure the security team is empowering the DevOps team so that they can become DevSecOps teams.
For this to happen, the appropriate knowledge needs to be transferred, and the privacy and security must be implemented by design in the deployment. Security is an artifact of the usage of the IT tech industry. If we can aim at delivering a quality product and service, then security is no longer a blanket to be pulled on; instead, security is embedded in the product. It is all about building security into the inception as opposed to including it as an afterthought.
Q: What does it take for organizations to implement DevSecOps? Can you share with us some of the most crucial steps companies need to take to begin their DevSecOps journey?
A: Three words: develop, security, and operations. Often times everyone says “let’s do it!” and then they go out and find out what a monster it is. So the first important question to ask is “what does the end product look like?” The security team has a different point of view than most others…so how do I take my team and make them able to effectively engage with the development and operations team members? These are the strategic and tactical decisions that businesses need to make.
I have a personal take on this a unified team solution with privacy: the security people have to work off of the input sectors and the terms and conditions with clients, then go through risk-based approach feeds before approaching the ongoing wheel: design, implementation, test, and verify. These new laws like the GDPR offer a new set of requirements. It is an information assurance, risk-based approach as far as conducting security and privacy goes. The design wheel is a living breathing mechanism that is the definition of any kind of project management methodology used today.
When we are talking about today’s clouds like Salesforce, Azure, and others, all of these big cloud companies are using an agile method — no one is going through the waterfall method any longer. This is in part due to the fact that, as customers, we’re looking for magic and a magical solution…we don’t want to know or want to see the work that goes on in the background. And as clients, we want this magic to be clean magic, too…we don’t want to lose information. We want to have peace of mind.
Q: How can organizations measure DevSecOps success?
A: What everyone wants to know is “how do I measure my success?” What’s funny is that from a security standpoint, no news is good news. So how do we measure success? It comes down to how much traffic a company is getting in conjunction with how busy the complaint or support line is, in addition to how fast we are turning around the issues, what the nature of the complaints are, and finally how do we input this feedback internally.
How can we capture these vulnerabilities internally and how fast can we turn these vulnerabilities into non-issues? Getting feedback on this and with all of these numbers, we can create stats and turn those into KPIs where we quantify on a dashboard whether we are good, okay, or bad. Empirical and quantifiable information.
Q: Tell us more about your company. How is xMatters helping businesses succeed in DevSecOps?
A: There are three things that set xMatters apart:
- Customizable solutions – Our number one win in the market with our product is that it can be customized by the client to meet their communication needs. Our product is so malleable for clients and businesses…the number of use cases has and continues to grow.
- Growing feature-set – Second, the product has grown so that we can assist in tool chaining and various internal tools to allow them to talk to each other.
- People – And third, what sets us apart is the team here at xMatters. We have an amazing set of people working here that can really engage with our clients.
We take what Steve Jobs had said and give it a redux: he said that the world doesn’t know what it wants…so I’m going to make something and make the world love it. This idea was behind our company’s inception, and we have taken his idea and rebranded it. Now we say and realize that the client has been playing with technology for quite some time, and that most people have an opinion as to how things are and should operate. So, we can listen in and get multiple vectors on the product to get improvements that we can then put into the product/service.
As we see it, process workers are engineers with visions. But then the regulators themselves say that the system has to have privacy and security and delivery to work. And then there’s the client, who has feedback on usability, UX, UI, and more. So then you have to take all of those inputs into consideration over time….but if you can prioritize and implement the ones that are of higher impact, then you can be effective. It is of the utmost importance to implement web security to customers because it delivers safety and peace of mind.
At the end of the day, you need 4 input factors for everything to work in harmony. A good product, a solid management team, a vision, and a mission shared among members — that’s the formula where people can align and innovate in the same direction.
It is also of the utmost importance to engage with the client. It’s very important to reach out to them and say “we hear you.” The good news is that most of the requests that come into us are reasonable and viable. So it becomes a question of how to facilitate the greater need and not just the one need. We listen to our clients, engage with them, and then if we can deliver something new and if it makes sense for the product, then why not deliver? We are right at the intersection of customer evolution and the technology available…people know what they want through innovation and repeated use.
Q: 2017 has been a landmark year for artificial intelligence (AI) and machine learning (ML), with plenty of companies expressing their interest in tapping these technologies. What’s your take on this? How can companies utilize and tap the benefits of AI and ML?
A: In regards to machine learning: computers are amazing when it comes to fractal equations. They do lots of looping functions and are successful at this because the error rate with human beings would just skyrocket after a certain number of executions. Computers don’t have the same value structures or emotive issues as people, which is why they are more reliable and successful at things like repetitive work and fractal equations.
People mostly want to build AI based on their egos or their fear-driven systems in their own mind. They want to be able to create a system that they can have a conversation with and something that can do something for them. There are, of course, many use cases for AI, but it can be abused by the masses easily. If you could unleash AI as a teacher, then you would be able to deliver this same repetition…and the human mind loves repetition. The brain itself is a muscle, similar to a bicep. The more curls you do, the more muscle you gain…but curls are not exclusive to the gym, as using your muscles happens in many other forms. The brain is the same: expose it to really good repetitive educational value and it will become sharper.
The reality of AI is that it has a place in the world. But if we are using it for only bells and whistles, then it is not effective.
About xMatters
Founded in 2000, xMatters is the trusted provider of an integration-driven collaboration platform that accelerates incident response and resolution. xMatters relays relevant data between key systems while engaging the right people to proactively resolve issues. This enables enterprises to avoid costly incidents, prevent outages, and streamline DevOps processes. Trusted by thousands of teams at Global 2000 companies, xMatters is headquartered in San Ramon, CA, with additional offices worldwide.