Open source devops business Chef arrived at security almost by accident - but now it’s winning compliance contracts based on GDPR alone as it begins to position itself as a vital automated security and compliance company.
Dominik Richter, product manager for Inspec at Chef, tells Computerworld UK that after his VolcanoSec business was acquired by the devops company that the firm began using a testing framework for operations to see if they were at the right state of security he expected them to be.
He says: “Then we realised, crap, there is a huge Excel sheet we have to continually fill out and all these requirements we have to cross off, and thought, ‘what if I took that testing engine and moved it to security’?”
That evolution led the company towards Inspec, part of its compliance automation offering. Although the business is best known for its open source devops tooling and community, the compliance side is lending Chef serious credibility as a security company too.
“If you look at how security companies evolved and how they came to be it was usually from antivirus, and then came the first vulnerability testers, then that has evolved in the compliance direction,” says Richter. “Chef came in from the other side and it was very unexpected. We came in from infrastructure automation, so we do not do the vulnerability part but we are establishing a new paradigm - devops for security people.”
Chef’s messaging is that it’s ahead of the curve for culture and practice, and the company believes it is leading trends in terms of shaping the future for security professionals.
As devops has shrunk the gap between developers and operations, Chef believes this will also happen for security professionals. One of the central messages from the devops movement is about breaking down silos, and Richter believes that this will inevitably have to happen with security professionals too.
“You cannot silo off the operations of an environment from security because the only thing you get is a cat and dog situation where they’re fighting each other,” says Richter. “I’ve seen it first hand and I’ve lived through it. You go through requirements and it’s like why do i have to do that? Why do you always come in and mess with my environments? This has to change.
“And what we’re seeing is exactly that - you get conversations between devops and security happening, working towards a common goal, instead of the constant in-fighting. For that, structures are changing as well. There is cultural change to open that up, process change, to establish new patterns of communications, and where we come in is the tooling change, because we provide you with the right tools to do this job.”
General manager for software at EMEA Joe Pynadath says Chef has started to see the breaking down of siloed work in security as well as developers and operations.
“Often, security has been a completely separated team doing their own things,” Pynadath says. “We are starting to see, and we are starting to help bring that message along, that it can’t be operated in a silo, it has to very much be hand in hand with what you’re doing from an overall operations and development perspective.”
“Because we’re coming at it from that overall devops automation perspective it’s very natural that security has to be brought into the fold - it’s not really an option to keep that separate anymore,” he explains. “We’re starting to find that compliance for people with devops initiatives, the security aspect of that is becoming one of their first priorities when they’re engaging in their devops journey and that’s something we probably would not have predicted two years ago.”
That doesn’t look like an erasure of the security professional. Richter acknowledges that infosec professionals carry an enormous amount of knowledge and bring a valuable understanding of risk to the table. But as the WannaCry ransomware attack showed, it’s especially necessary for teams that work to push software out as quickly as possible to consult with security.
“When I was working as a pen-tester, usually we went into these systems and what I really wanted to do was drive very high-level, complex hacks,” Richter says. “But what we usually found was that people got their basics wrong, so most of my reports were all the basics you should have done in the first place.
“Imagine that going away, because security folks can automate that and then you can focus on high-level, real apps that are being exposed, and are unique to you. This is where you should put your energy, rather than the repeatable stuff we can automate for you.”