More and more companies—including mainstream enterprises outside of the Silicon Valley early adopters—are expected to embrace trends like containers and microservices in the coming year. That’s a good thing, but it also raises important questions about how to deal with security issues in an increasingly complex world with broad adoption of distributed systems, orders of magnitude more apps talking to each other, and zillions of vulnerable endpoints.
To address those issues, episode 4 of The New Stack @ Scale Podcast welcomed Armon Dadgar, co-founder of Hashicorp, and Jim Reno, chief architect for security at Apcera, to join co-hosts Alex Williams—founder and editor in chief of The New Stack—and myself.
It’s a fascinating, wide-ranging, 45-minute discussion, touching on everything from security risks for the Internet of Things to tools intended to decouple security from deployment speed. But perhaps the most interesting part of the show focused on who’s responsible for security in this new environment and the need to bake security into the development process (starts at 20:19).
New Relic is a sponsor of the New Stack @ Scale Podcast. However, the content and views expressed are those of the participants of the New Stack @ Scale Podcast, which is the property of The New Stack. Any views expressed on the New Stack @ Scale Podcast do not necessarily reflect the views of New Relic. By embedding the audio for the New Stack @ Scale Podcast or linking to The New Stack, New Relic does not adopt, guarantee, approve or endorse the information, views or products available on The New Stack site.
According to Armon and Jim, developers are increasingly being asked to be responsible for the security of their applications, but if we depend on every developer to make the right security decisions on every deployment, inevitably someone is going to make a mistake. And it’s not going to be their fault, because that kind of system is pretty much designed to systematically encourage mistakes. A better approach is to make the development and orchestration platforms “secure by default” so that even if the developer doesn’t think about security specifically, the platform automatically addresses as many security concerns as possible, such as automatically generating signed certificates, providing identity to the application, and so on.
There also needs to be a change, they say, in the relationship between developers and security experts. Traditionally, developers often looked at the security team as blockers, slowing down deployments at the last minute. To move fast at scale, however, developers need to see the security team as an enabler, showing them the best ways to do things in order to keep shipping quickly.
There’s lots more on security and modern software architectures in the show, and you can learn more in Alex Williams’ blog post on The New Stack.