Meet Ali Golshan, CTO and co-founder at StackRox, a Mountain View, Calif.-based leader in security for containers and Kubernetes. Prior to StackRox, he was the Founder & CTO of Cyphort (acquired by Juniper Networks) and led the company's product strategy and research initiatives. Previously, he worked as a security researcher and engineer at Microsoft and PwC. His career started in government, conducting security and vulnerability research for the intelligence community. Here, we talk to Golshan about the benefits of DevOps.
Security magazine: What is DevOps? Is this a modern movement?
Golshan: DevOps, as the name implies, occupies the middle ground between application developers and infrastructure operators. The shift towards DevOps as an organizational function is fairly modern, driven by increased degrees of compute virtualization and automation in the datacenter. This shift has accelerated as Kubernetes emerged as the standard for container orchestration; its principles of microservices architecture, declarative definition, and immutable infrastructure are enablers for DevOps (and DevSecOps).
Security magazine: How does your focus on Kubernetes help DevOps and security teams operationalize security across the full container lifecycle?
Golshan: With a Kubernetes-native security platform designed for a DevOps-friendly approach to security, security teams can ensure that they don't slow down the application teams' pace of innovation, while also protecting their workloads and maintaining their desired cloud security posture. DevOps teams are assured that the security platform will provide them richer cloud-native context for remediating issues, and the platform won't conflict with the infrastructure running their applications.
Security magazine: How is DevOps different from traditional software development and DevSecOps?
Golshan: DevOps differs from traditional software development in that the operation of the software in production is a consideration for the application teams. When DevOps is absent from an organization, operations teams are challenged to achieve application uptime SLAs because there is no integration between teams, and no feedback loop from operations to software development. DevSecOps builds on DevOps by ensuring that not only are applications and infrastructure concerns aligned, but also security concerns. All three teams can then operationalize security across the full software development lifecycle.
Security magazine: What are the benefits of a change toward DevSecOps?
Golshan: Moving to a high-functioning DevSecOps practice and using Kubernetes as a common language and single source of truth throughout the container lifecycle provides several benefits: lower operational costs (through efficiency gains enabled by a common platform and source of truth), decreased operational risk (reduced app downtime due to conflicting infra and security platforms), and increased developer productivity (through guardrails making security controls a seamless and almost "invisible" part of the developer workflow).
Security magazine: What are your predictions for DevSecOps in 2021?
Golshan: Looking forward to 2021, expect continued progress on adopting DevSecOps best practices as commercial platforms continue to build out Kubernetes-native approaches to security. Most organizations are still making a transition to Kubernetes and microservices, and 2020 was really the first year we saw widespread adoption of Kubernetes in production at scale. Now, the attention will shift towards gaining greater efficiency and improved security by incorporating DevSecOps best practices into the software development lifecycle.