With dozens of presenters and facilitators across four talk tracks — Open Source Security, Open Source License Compliance, Open Source Research and Innovation, and Secure DevOps — Black Duck’s annual customer event, FLIGHT, powered through topics impacting today’s software organizations. Today, software organizations are any business unit, department, or team who develops or modifies software for any purpose; that’s a lot of organizations! Odds are, this also includes yours.
Among the attendees were many making a push for secure DevOps, the industry’s hot new term for the interplay between agile application development and secure operations at scale, with unhindered information flow across groups. In order to achieve the “secure” part of secure DevOps, people are putting their best foot forward to manage open source vulnerabilities during development and in production.
Getting Technical on Containers
At this year’s FLIGHT conference, Tim Mackey's sessions articulated a story of containers in development and in production. In one session, Tim posited that containerization is rapidly becoming a requirement for a transition to DevOps, largely due to its natural synergy with agile development practices. He demystified containers, explained their core concepts, and distinguished them from virtual machine architectures. In another, he discussed containers at an enterprise level, speaking to the policies, workflows, and automation necessary to securely deploy containers at scale, and then monitor them for vulnerabilities in production.
Because containers accommodate DevOps ideals of rapid deployment, it can be easy to overlook the open source security practices necessary to eliminate attack vectors within them. As we continue to move to a DevOps environment, we need evolve methodologies and tools to make application security an integral part of the process, from development into production.
Integrating Security into DevOps Processes
There is rumor of a DevOps treasure map (shaped like a sideways number 8 of course) where the proverbial X is simply the start of the road from development to production and back again. This year, Utsav Sanghani dissected that treasure map, exploring the range of tools and processes at each of these junctures that accomplish a critical step to turn code into a final product. Utsav explored the methods available to integrate open source security practices into the SDLC; SCMs, IDEs, CI tools, binary repositories, and so on.
Direct integration allows security insight to reach teams at each of these stages, ultimately strengthening a project’s security posture. Rather than waiting for a testing phase late in the SDLC, security must be baked-in and validated persistently and from the start. To uphold security, it's critical to know which open source components you're using, which are vulnerable, and where the components exist in your projects. Integrating Black Duck’s open source security insight into your DevOps toolkit allows such insight, simplifying early identification and remediation of potentially threatening vulnerabilities.
Taking Open Source Under Their Wing
FLIGHT is not only an opportunity for organizations to discuss open source software security, but inspirations for open source adoption as well. This year, Karan Marjara (Fujitsu), John Vrankovich (JDA Software), and Mohammad Rezaei (Goldman Sachs) each presented a distinct take on an organization's role in the open source community, and the ways in which the community can shape an organization.
Karan explored various methods of adopting open source as a strategic benefit driving innovation and the creation of the Warrior Framework, which automates software testing, processes, and repetitive tasks. John's discussion of JDA's Open Source Center of Excellence (OSCOE) illustrated the necessity to standardize open source implementation throughout an organization in order to facilitate security, efficiency, and compliance as the company grows organically and through acquisition. Mohammad corroborated each of these messages, walking through various means to proliferate successful open source community engagement across business units.
Open Source Takes to the Clouds
As software deployment models evolve, the cloud consistently rises to the top of viable options for efficient operations. Tony Hansmann (Pivotal) closed the customer presentations on DevOps by speaking to the security requirements for cloud-based application delivery. Moving quickly from basics to advanced topics like testing and security modeling, Tony explored real-world examples of open source risk management in continuous integration environments like Pivotal Cloud Foundry. His motivation: to provide actionable insight and revolutionary tips for establishing long-term open source security standards.
The discussions, presentations, and revelations derived at FLIGHT 2017 verified what many organizations are realizing: DevOps is a powerful methodology with significant implications on the efficiency and effectiveness of the teams responsible for creating and deploying critical software. As open source becomes a staple among the development community, it's imperative that security practices be enhanced to reflect the consequent security risk exposure. After this year's FLIGHT, it's clear that organizations are, in fact, ready to invest in DevOps and are truly beginning to wrap their heads around what it means to proliferate open source security insight to all those involved in secure DevOps.