Our CEO, Alex Bovee, had the opportunity to talk with Travis McPeak about emerging trends in security, compliance, and platform engineering. Travis is the co-founder and CEO of Resourcely, a startup that helps developers simplify cloud resource management and security through automation and well defined guardrails. He is a security leader with over a decade of experience spanning cloud security, application security, and automation at companies like Netflix, Databricks, IBM, HP, and Symantec.
Here, we highlight the key takeaways from their conversation. To hear more, check out the playlist on our YouTube channel here!
1. Tickets are an anti-pattern for productivity
Ticketing systems are often the main, sometimes only, form of communication between organizational teams. Take security: their goal is to minimize company risk, but many times the final and only point of contact to resolve an issue is filing a ticket with another team. Fixes for infrastructure or app vulnerabilities may take days or weeks to resolve. At best, it’s an inefficient process.
“A developer shouldn’t have to wait days or weeks for a central team to get around to helping them.” - Travis McPeak, CEO and Co-Founder of Resourcely
Link to short snippet here!
2. Centralized guardrails and policies improve security and enable productivity
Democratization, self-service, automation, and policy driven guardrails are emerging as the central IT & Security themes for the next decade. Platform engineering plays a central role in this. Security platforms provide powerful automation tooling that adheres to best practices while enabling self service. Many times this takes the form of providing a menu of reasonable default configurations or policies to consumers so they do not have to be security experts to make the right decisions. This also allows the company to operate in a guardrails mentality: radically enable self service as long as it follows the established security policies.
“Security teams can provide these reasonable defaults in self-service systems so that developers don’t have to be security experts to effectively handle security for themselves.” - Travis McPeak, CEO and Co-Founder of Resourcely
Link to short snippet here!
3. Shifting left means building in security best practices and controls in workflows
The later you discover a vulnerability, the more expensive it is to fix. “Shifting left” is the practice of preventing, through policy or controls, or proactively identifying and remediating, the issue before it becomes a live vulnerability.
Tactically, this means that your developers and employees should be equipped to build and operate with pre-defined, security driven guardrails. Teams should not have to wait for an expert to guide them ad hoc on security best practices. In cloud resource management, for example, developers should not have to know all the complexities of various settings and configurations in their IaaS provider. A more effective system would be providing them with an interface with a predefined set of templates that they can choose from; all of which conform to the standards defined by security.
“[At Resourcely] we want to put an end to developers having to learn the complexity of cloud resources, settings, and your company’s policies. All that should be solved for them.” - Travis McPeak, CEO and Co-Founder of Resourcely
Link to short snippet here!
***
Companies are massively adopting cloud apps and infrastructure. Typical detection and response approaches do not scale well in this environment. Security must adapt by “shifting left”. This means moving from alert / response driven workflows to automation geared towards prevention and governed by guardrails that prevent vulnerabilities in the first place.
If you’re interested in talking more about the future of security on our video series, give us a shout. We’d love to hear from you!