Click below to listen to TestGuild DevOps Toolchain’s interview with Wabbi’s Founder & CEO, Brittany Greenfield. She talks with host, Joe,  about the integration of security and development in the DevOps process.

This interview originally appeared on TestGuild DevOps Toolchain Podcast on April 10, 2024

AI-Powered Security Orchestration in DevOps

About the session
This transcript is from an episode of the Test Skill DevOps Tool Chain podcast. The host, Joe, is speaking with Brittany Greenfield, CEO and founder of Wabbi, about the integration of security and development in the DevOps process. They discuss the concept of application security posture management, the future of DevOps, and the role of Wabbi in bridging the gap between security and development.

Key speakers
– Joe, Host
– Brittany Greenfield, CEO and Founder of Wabbi

Agenda
– Introduction of Brittany Greenfield and her work in DevOps and application security.
– Discussion on the future of DevOps and the integration of security into the process.
– Explanation of Wabbi’s role in application security posture management.
– Discussion on the challenges in integrating security into the DevOps process.
– Explanation of how Wabbi addresses these challenges and facilitates the process.
– Discussion on the current state of application security and the role of government and tech companies in it.
– Advice for those working in DevOps and security.

Takeaways
Takeaway: DevSecOps should be absorbed into DevOps, streamlining development

Brittany Greenfield believes that the term “DevSecOps” should be obsolete as security should be inherently integrated into DevOps, which itself should be part of standard development. The concept of DevSecOps was born out of the recognition of the need to integrate security into the efficiency-maximizing, silo-breaking practices of DevOps, but this integration has not been fully realized.

“DevSecOps should exist as a term is it should just be DevOps which should just be development,” said Greenfield. She argued that the initial shift to DevOps was about maximizing efficiency through breaking down silos, but security was left behind due to its complexity and its different methodology.

Greenfield’s mission with Wabbi is to make DevSecOps obsolete by seamlessly integrating security into the development process, noting that “everybody recognizes that DevSecOps is the norm,” but most enterprises have only implemented DevSecOps without truly integrating it into their existing software development lifecycle process.

Takeaway: Application Security Posture Management can streamline security integration

Application Security Posture Management (ASPM) holds the potential to streamline the integration of security into the development process. ASPM leverages automation and orchestration to manage the end-to-end application security lifecycle as part of the software development lifecycle, allowing developers to focus primarily on developing code.

One feature of Wabbi, as explained by Greenfield, is that it “orchestrates the end-to-end application security lifecycle as part of the software development lifecycle.” This allows developers to just focus on developing code, while the security tasks are fed into the process at the right time.

Greenfield gave an example of how Wabbi works: when developers submit a pull request, Wabbi will automatically kick off a security scan, bring back the results, prioritize them, and if needed, block the pull request from being completed until the critical vulnerabilities are fixed.

Takeaway: Security should be more than just compliance

Greenfield emphasized that while compliance is important, security should not be merely viewed as a checkbox to tick off. She argued that security should also consider business risk and customer risk, and that each company has different security standards depending on its risk profile.

Greenfield criticized the idea of security being just about compliance, saying “if you’re only doing security to do compliance then you’re just doing check the box security.” She pointed out that each company, especially in large enterprises, treats their applications with different security risks.

She concluded by highlighting the importance of collaboration in achieving effective security, saying “at the end of the day all of this is just good development because it’s about good collaboration and breaking down silos.”

Insights surfaced
– Application security posture management is a growing field that bridges the gap between security and development in the DevOps process.
– The integration of security into the DevOps process is a challenging but necessary step to ensure the safety and efficiency of software development.
– Wabbi is a platform that facilitates this integration by managing the end-to-end application security lifecycle as part of the software development lifecycle.
– The role of developers in the security process should not be to become security experts, but to work in collaboration with security professionals to ensure secure development practices.
– The future of application security will likely involve more government involvement and regulations, as well as the continued development of transformative technologies like application security posture management.

Key quotes
– “The reason I don’t believe DevSecOps should exist as a term is it should just be DevOps which should just be development right and if we think about where DevOps came from it was really about breaking down silos and DevSecOps is no different.”
– “Part of my mission with Wabbi is to make that term DevSecOps obsolete because it should just be the norm.”
– “We’ve created all of this data but it’s not enough to have data you have to have actionable information.”
– “We’re not expecting nor should we developers to suddenly start doing different things right they’ve got good workflows those will evolve as development evolves same with security they’ve got their own workflows.”
– “One actionable piece of information I think I can give that’s going to move the ball forward a lot faster is pick up a phone and call an application security manager.”