DevSecOps: what is it and Why you need it
On August, 17, 2021, XQ hosted their first developer roundtable discussion with developers and our very own, Kelby Price and Zero-Trust expert, Junaid Islam. The event centered around Zero Trust, APIs, DevSecOps, and cybersecurity challenges in the software development industry.
Question:
I wanted to ask you about what you think about DevSecOps, could you further describe your responsibilities as a developer when it comes to security?
The following is an excerpt of the conversation asking developers on their thoughts about DevSecOps and benefits to adopting a DevSecOps approach:
Junaid (22:34):
So, I actually wanted to go around, ask some of the developers what they think of DevSecOps. Is that a philosophy that you think is real? Because Zero Trust is an enabling technology. But the question is, what is it enabling? You're seeing the big companies like Cisco, Palo Alto, integrated into products, and that makes a lot of sense. But if you're a software person, you're like, well, that's a different industry. So, Kelby, since you're better at asking people, do you want to poll the group on DevSecOps, and don't people get a prize for showing up here? I thought they-
Kelby (23:17):
Yes. You all do. You all will get an Amazon gift card, if you show up here and follow us on LinkedIn. We're really appreciative of all of you guys providing your feedback today.
Junaid (23:30):
Everybody's a winner of an Amazon gift card.
Kelby (23:33):
That's right. So, I think that it would be great to get some feedback. One thing is, what do you think about DevSecOps? And the other question is, Junaid brought up a really good point, that right now, software development and security are siloed. So, you develop the software and you pass it over to the security individuals to secure that software. Now, our API enables security to be embedded into the very fabric of your technology-
Kelby (24:00):
...Security to be embedded into the very fabric of your technology.
Kelby (28:26):
Well, I'll put someone else on the spot now, I wanted to ask you about what you think about DevSecOps, and then if you could further describe your responsibilities as a developer when it comes to security.
Speaker 2 (28:42):
Yeah. Hello. Can you able to hear me?
Kelby (28:46):
Yes, we can.
Speaker 2 (28:48):
Okay. So yeah, I am working as an integration developer. So, to use this, I am using a lot of products like ADL and service products. When it comes to security, I do have to provide like what kind of fields I am using for data masking. So there are some customer sensitive information like customer address and email. I need to make sure that I need to mask it, and then I have to use some kind of product level securities, how that security is working. Is there any possibility to encrypt, to decrypt their security levels, by developing a simple POC, and as well as the checklist for the response time, those kind of things.
Kelby (29:37):
That is very interesting. [inaudible 00:29:39], would you be able to speak a little bit about some of our techniques when it comes to data masking from like customer address, customer email, and how we're able to segment all of those out, even if that data is pulled from an application and goes to a data lake, for example, and why XQ provides a really unique and fundamental difference to the security that's currently available?
Junaid (30:06):
So, one of the important ideas in zero trust is zero trust works at many levels. One of the ideas is if you're not authenticated and authorized, you don't get the decryption key. So that is really good when you're worried about ransomware or data exfiltration. So imagine a data lake where people are pushing in data, and then somebody gets the password of the admin and then takes all the data out of the data lake. Well, XQ is very good at that because when the data is stolen, the cyber attacker has the wrong identity. Or even if they've stolen the identity of the admin, they're in the wrong location in the world, so they don't get it. And you say, "Well, that's really good. But what about running applications inside the data lake?" Well, XQ does something interesting. When you have a file or a record, XQ can actually encrypt the fields using different keys.
Junaid (31:04):
So this is important when you're doing something like smart cities. So imagine in a smart city where you have data of all the citizens on water bills, power bills, people parking. And then say you have a program, and the program is a billing program, and say just looking at parking, parking spots, it just wants to generate a bill to pull it from the credit card. Well, that program doesn't need access to all the data like your tax data, because it's not relevant it. And it's also dangerous to give programs access to everything, because say that program is a fake, it's put in by a cyber attacker. So XQ, using the zero trust model, not only has zero trust in people outside the data lake; it also has zero trust for applications inside the data lake. So it says, if you are a program and the name of your program is monthly parking fees, that's the name of your program, it looks up your name of the program and it says, "Oh, the monthly parking fee program only should have access to, say, license plate and the number of parking spots they use." Anything else, your taxes, your this, street corner lights, whatever, you don't have access to. So it'll unlock the fields only around the parking spots and the license plate associated to do automated parking.
Junaid (32:36):
So, one of the things we are working with, and this is a new concept, when we talk about extending zero trust into the data world, we're actually developing new constructs that actually don't exist. So right now, when people think of access to storage farms, it's kind of very binary. Either you don't have access or you do have access. We think that's incorrect because there's a lot of cases where things do get accessed, but they have too much access, or they have access to everything, which again opens you up for massive data exfiltration and ransomware, because someone can come in and say, "Oh, I'm a billing program, or I'm just a statistical program. Let me look at all the data and copy it and pull it out." And the answer is no, we're not going to do that. We want to know who you are. What is the name of your application? Right? And based on the application name, we are going to authorize you for only a small slice of what's in the data lake. So, kind of what we're doing here and why talking to developers like yourself is important is we're actually inventing new ideas and concepts of what zero trust means in the software world. Right? You can search for it online, and I bet you'll find nothing. So...
Kelby (34:01):
So, are you saying, [inaudible 00:34:01], that with this technology, could we have prevented Edward Snowden, for example, from exfiltrating all of the data from that data lake?
Junaid (34:11):
Yeah. So, what we would've done in the Edward Snowden case is because he had access to the raw laptops, he would've actually been able to steal the data, but it would've been in its encrypted state. And when he tried to unlock it, the system wouldn't unlock, right? Because the system would say, "Oh, you've got to be the authorized user sitting at your desk inside." In his case, I guess he was sitting at CIA in Hawaii. That's all we do. So you can't really stop the theft of data. That's actually very difficult to do because at some point someone can actually rip out the storage system and walk out the door, and you say, "Well, you can't really stop that." But what you can do is not unlock the data electronically. That is doable.
Junaid (34:58):
So, when we talk about zero trust, we say just because you have access to the data, just because you have the phone and this data is stored on the phone, we're saying we have zero trust in you, whoever you are. So, unless we know who you are, where you are, we're not going to give you that encryption key. And that is a kind of deeper, new way to think about zero trust, which is... Well, it's kind of new, so part of what we're trying to do is work with developers to bring this new concept out. And it could be a game changer, or we hope it's a game changer. But more importantly, this only works if software developers feel it makes their software better, right?
Kelby (35:46):
Yeah.
For developers, access our developer portal on our website: Click here.
XQ’s Github: Access it here
XQ’s API Platform: Click here
To speak with a representative for more information from XQ or want to set up a meeting, contact us at: