When I joined New Relic a year and a half ago as our first Director of Information Security and Compliance, I faced a challenge. It was clear that the both the company and our customers cared about security (if they didn’t, they wouldn’t have hired me), but it was also clear that part of what made New Relic unique was our ability to move quickly and innovate. In the traditional security world, speed is often thought of as the enemy, but at New Relic we were releasing our application twice a week (now it’s daily).
What resulted from this dichotomy was a new way of thinking about application security. Over the past year, we’ve taken the traditional Secure Software Development Life Cycle (SDLC) and morphed it into something that works in the Continuous Deployment/DevOps. One step was introducing automated triage on all code commits to allow the security team to focus on the highest-risk changes. We also perform continuous vulnerability scanning in our pre-production environments, and have replaced our formal release sign-off processes with a Sidekick process (because everyone loves a super hero!).
At New Relic’s recent (and first-ever) user conference, FutureStack13, I had the opportunity to share this new security model and some of the ways we’ve reconciled our AppSec and DevOps needs. If you’re struggling with integrating security into this new way of developing and releasing software, take a look at how we got there in my full talk below.