• IT REVOLUTION
  • Newsletter
  • About
  • Contact
  • My Resources
  • Books
  • Video Library
  • DevOps Enterprise Summit
  • The Idealcast
  • Whitepapers
  • Blog
  • IT REVOLUTION
  • Newsletter
  • About
  • Contact
  • My Resources

IT Revolution

Helping technology leaders achieve their goals through publishing, events & research.

  • IT REVOLUTION
  • Newsletter
  • About
  • Contact
  • My Resources
  • Books
  • Video Library
  • DevOps Enterprise Summit
  • The Idealcast
  • Whitepapers
  • Blog

Nick Galbreath On Integrating Information Security Into DevOps

May 10, 2012 by Gene Kim 2 Comments

I had the pleasure of meeting Nick Galbreath (@ngalbreath) at the SxSW Interactive conference this year. He’s especially memorable to me in much the same way Josh Corman and James Wickett are.  What they all have in common is that they believe that DevOps may be the best thing that’s happened to information security in a very long time.

Nick is an information security practitioner who not only sees the value of DevOps-style practices to information security, but also lives and breathes it.  What makes him especially qualified to speak on this is that he’s worked with John Allspaw (@allspaw), who was one of the primary forces in the birth of the DevOps movement. Galbreath and Allspaw have collaborated not once, but twice during the last decade.

In his DevOpsDays Austin talk, he explains how he integrates information security objectives into the DevOps practices at Etsy. He calls it “DevOpsSec.” At Etsy, they routinely do sixty-plus deploys per day, and have integrated it into all the various work streams of Dev, QA and Ops, including continuous integration and release, testing, production monitoring, and post-mortems.

He argues very persuasively that high rates of deployment forces out all the tedious, manual and error-prone steps in the deployment process, especially around change and configuration, which form the root causes of most security failures.

Here are some of my favorite techniques he mentioned, which all demonstrate how to integrate information security objectives into the value stream of Development and IT Operations, and do it in a way that provides obvious value to everyone.

  • Generate graphs of all occurrences of “UNION ALL” in user input (to remind developers of the ever-present risk of SQL injection attacks)
  • Add security-related ASSERTs to the puppet/chef environment build process (to catch misconfigurations, ensure that certain pages are always served with HTTPS, etc)
  • Integrate major security failures into their blameless post-mortem process
  • Continually look for segfaults and crashes on servers (it may be an early indicator of bad code or a successful attack probes)
  • Have that attitude that having your site attacked all the time is a gift (it makes the risk visible to everybody, helps educate developers, etc.)
  • Hold Tuneup Days to encourage people to bring their home computers in for information security staff to harden and repair (elevating the average level of hygiene to the same level as inside the organization)

One of the goals that we’re striving to achieve with the “DevOps Cookbook” is to show exactly how Development, QA, IT Operations, Information Security and even Product Management need to work together to get fast flow of features into production, while preserving the stability, availability, security, manageability, and so forth, of the production environment.

I’m particularly excited that the principles and techniques that Nick talks fit in so well with the DevOps patterns we’ve observed, and that they not only help information security to achieve its goals, but provide real and visible value to the entire organization.

Keep up the great work, Nick!



Video streaming by Ustream

(Unfortunately the Ustream video takes a very long time to load, but the talk is well worth the wait. You can find the slides from the presentation here.)

 

I had Wendy Mitchell interview Nick after his talk, and he shared his thoughts on how his belief  that DevOps will be the standard way of working in the future, more on the Tune Up Days, as well as what he’s working on now.

Most Recent Articles

  • Measure Software Delivery Performance with Four Key Metrics
  • Measuring Software Quality
  • Five Common Problems Organizations Face Today

Filed Under: DevOps Community

Comments

  1. AsherBond says

    April 10, 2014 at 1:58 pm

    What’s that BASH talk. Oh yeah.

    Reply
  2. byteplumber says

    April 4, 2016 at 3:58 pm

    “What makes him especially qualified to speak on this is that he’s worked with John Allspaw (@allspaw), who was one of the primary forces in the birth of the DevOps movement. Galbreath and Allspaw have collaborated not once, but twice during the last decade.”

    How does working with Allspaw make him “especially qualified to speak on this”? Seems to me anyone in the DevOps space who has NOT worked with one of these “primary forces” guys would be more qualified, since all the information we’ve received for years is birthed from this small cabal of braintrust. It’s getting stale, honestly.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

newsletter sign up

Topics

Tags

advice agile agile conversations better value sooner safer happier business business agility business leadership change continuous delivery conversations development devops DevOps Advice Series devops enterprise forum DevOps Enterprise Summit digital transformation DOES17 dominica degrandis douglas squirrel enterprise executive Gene Kim information technology IT jeffrey fredrick John Willis Jonathan Smart leadership lean manuel pais mark schwartz matthew skelton Mik Kersten operations Project to Product software software delivery Sooner Safer Happier teams team topologies The Phoenix Project three ways transformational leadership war and peace and it WaysofWorkingSeries

Recent Posts

  • Measure Software Delivery Performance with Four Key Metrics
  • Measuring Software Quality
  • Five Common Problems Organizations Face Today
  • The IT Leader’s Place in the Business
  • Project to Product Transformation: How to Get Started
25 NW 23rd Place
Suite 6314
Portland, OR 97210

Privacy Policy

Featured Book

Featured Book Image

Events

  • DevOps Enterprise Summit London
    Virtual · 18-20 May 2021
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
Copyright © 2021 IT Revolution. All rights reserved.
Site by Objectiv.