My History of DevSecOps

How I learned DevSecOps, helped two companies move to cloud, built a secure CI/CD pipeline, authored and now teach cloud security classes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: DevOps

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I always knew that automation would help prevent many problems in software deployments. I was annoyed with running mail servers and source control systems, backup servers, load balancers, and firewalls, among other things. I wanted someone to take care of all that for me so I could just focus on building software, but I wanted it to be secure. I had to do all these unrelated things while running an e-commerce and web hosting business. I found it to be tedious.

When I went to get my first masters degree, I specifically looked for a degree in software engineering, not computer science. I didn’t want to learn hardware, circuits, and wires. I wanted to write software like I did when I was in 6th grade on a TI/994a. I always tell people, “I don’t do boxes and wires.”

I had to do some of that, but I didn’t like it. I punched down a phone line once, and that was enough. I went to a gas station to see how they were installing our ISDN line equipment in 1994, but I never touched it. I had to configure a Cisco load balancer while talking to a Cisco certified engineer on the phone. None of those things appeal to me. At the time I went to get my masters, only two colleges were offering the program I wanted. I received my degree in 2000 from Seattle University, which, according to the dean at the time, offered the first software engineering masters degree in the country.

Around 2002 I was racking and stacking servers I had purchased from companies who built them from raw parts. I thought that if someone could only automate all the annoying things I had to do in my datacenter (basically a rack in a colocation facility), life would be so much easier. I didn’t like that sort of thing, so I didn’t want to do it myself or be responsible for all that infrastructure. Thankfully, that’s what Amazon did, and eventually, my wish came true.

The link to a definition of DevSecOps in my blog post on deployment system security is a video from AWS re:Invent 2015. I was there in person, and it was the first time I heard the term DevSecOps. At the same time, I was getting a masters degree in cybersecurity. The curriculum had no information about the cloud, and the terms DevOps or DevSecOps were non-existent. Everything I learned about cloud security and security automation was through personal experiences and research — driven by my hypothesis that cloud platforms could, under some circumstances, improve security.

The two people from AWS making this DevSecOps presentation, Hart Rossman and Bill Shinn, have both helped me in my quest for cloud security expertise and knowledge. Bill provided input on a paper I wrote in 2016, which is related to this blog post on a few other upcoming blog posts: Balancing Security and Innovation with Event-Driven Architectures. I based the paper on my experiences on the Capital One cloud team and a desire to leverage the power of the cloud platform in new and different ways to improve security.

I also gave the a presentation on AWS Security Strategy that had the image for this blog post as one of the slides. DevOps, DevSecOps, and CloudMigrations require appropriate architecture and design by the right people, not just technology. The CI/CD pipeline is part of a larger security architecture that must be well thought-out. Otherwise your security strategy will either be eternally talking about cloud but never getting there, or akin to herding cats.

That same year, I gave a presentation on the paper at the SANS Network Security called Automated Intrusion Detection and Response on AWS. Most security professionals present had very little or no cloud exposure. At the time, there were any cloud security classes at SANS Institute, one of the largest cybersecurity training organizations in the world. The room was packed, and I remember some people’s surprise at the capabilities the cloud had to offer.

That wasn’t the first time I talked about the cloud at SANS. I was accepted into the SANS Masters in Information Security Engineering program in 2012. My first class was a presentation class, and the topic I chose to to present was How Some Companies Could be More Secure In the Cloud. I jokingly say I thought they would kick me out and claim I didn’t know what I was talking about, nor was I qualified to be in the program. Luckily, they let me stay. I went on to graduate and obtained my GSE, one of the hardest certifications to obtain in the cybersecurity industry, and several other cybersecurity certifications.

As I started revisiting cloud and had become convinced that it had benefits for even large security-conscious organizations, everyone around me was telling me cloud would never take off. Even my boyfriend, who did not work in the tech industry, told me his venture capitalist cousin said no one would move to the cloud because it’s not secure. Usually, I’d just reply OK because sometimes things are too involved to explain in a short amount of time, or it’s not worth an argument. In this case, I said emphatically, “He’s wrong.”

Capital One invited me to be on the original team that helped them move to the cloud, and it was an incredible experience. I wrote a lot of internal blog posts to help resolve problems with cloud security, networking, and deployments. According to some, those posts have survived my departure. I’m still friends with people I met while working on that team.

My new boss said he was impressed that I had started the Seattle AWS Architects and Engineers Meetup, which had about 800 members at the time. Now it has multiple thousands of members. At some point, AWS honored me with the title of AWS Community Hero. I didn’t even know what that was when they contacted me, but I’m thrilled to be part of the program and have made some amazing friends all over the world.

As I was writing my paper, another company recruited me to lead a team to move them into the cloud. As Cloud Architect and later Directory of SAAS Engineering, I was able to architect and implement the CI/CD pipeline. One of the critical points of the paper was a secure deployment pipeline to help prevent configuration errors, while still allowing people to get their work done. The base pipeline was deployed in about three months, including backups and failover, with the help of a rockstar DevOps team, including @kolbyallen and other key contributors.

We iterated and improved on it from that point forward. I based the architecture on concepts from my paper and things I learned at Capital One. Some of those people who helped me implement that architecture have moved on and continue to use the same principles in new organizations.

SANS finally did get a cloud security class, and I ended up teaching it for a year before I moved on to write and teaching my cloud security class. I am grateful to the amazing SANS instructors who taught me traditional cybersecurity. They have more knowledge in certain areas than I will ever obtain due to different focuses, backgrounds, and experiences. The information I received was broad and deep.

Although I learned a lot at SANS Institute, cloud security, DevOps, and DevSecOps were not on that list. For this reason, I am also grateful I went to the re:Invent presentation I mentioned and met Bill and Hart. That talk is one of the early influences that inspired me to focus on cloud security and reinforced my belief that proper use of a robust cloud platform has security benefits. I thought it was a great explanation of DevSecOps at a time most people were not yet doing it. I am amazed at how well that presentation stands the test of time, though new AWS features exist to address some of the problems.

Since then, I’ve done a significant amount of research and written many cloud security, security automation, and cybersecurity blog posts, articles, and white papers. I believe some of my cloud research and writing led SANS Institute to give me the SANS Difference Maker’s Award in 2017 for innovation in cybersecurity. Like the honor of becoming an AWS Hero, I did not even know this award existed and am incredibly grateful.

What will I do next with DevSecOps? At this moment, I’m wrapping up a book on Cybersecurity for Executives, which includes some related information. Beyond that, I am always researching how to explain cybersecurity to everyone and how to help companies stop data breaches and incorporating that research into cloud security blog posts and my cloud security training.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2019

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab