As application development and modernization moves forward, security has never been more important. This episode of the Tech Field Day podcast introduces AppDev Field Day with a discussion of the importance of DevSecOps featuring Paul Nashawaty, Mitch Ashley, Michael Levan, and Stephen Foskett. Application security isn’t just about the vulnerabilities in the application itself; the entire software stack must be secure. There are many approaches, from vulnerability scanning to minimization of the attack surface, but the most important thing is to build security into software from the start. There are many parallels between physical infrastructure and software applications, with many of the same security considerations. Various components make up a software bill of materials (SBOM) and any of these can expose a vulnerability or be attacked. Platform engineering is an important connector between infrastructure and developers, and plays a major role in reducing the attack surface. It’s all about bringing expertise to the table to build supportable and secure platforms for modern applications.
Apple Podcasts | Spotify | Overcast | Amazon Music | YouTube Music | Audio
Application development and modernization require a strong focus on security to ensure both new and heritage applications are protected. Applications can be categorized into heritage, modern (containerized and orchestrated), and future (potentially involving web assembly and serverless technology) states. Addressing security challenges such as skill gaps, refactoring decisions, and ecosystem integration is crucial.
The rise of open-source vulnerabilities has made application security increasingly overwhelming. It is essential to secure the entire software lifecycle, including the supply chain and toolchain used for development, testing, and deployment. A holistic approach to application security, beyond just APIs and vulnerabilities, is necessary.
While securing containers, pods, clusters, and VMs is important, the primary focus should be on code security. Vulnerabilities within the code cannot be compensated for by external security measures. Organizations must integrate security at the code level to ensure robust protection.
Reducing the attack surface is a key part of modernization efforts. Refactoring monolithic applications into microservices and containerizing them can help streamline applications and minimize their attack surface. Segregating common elements and business logic reduces exposure and enhances security.
The concept of “shift left” involves integrating security early in the development process rather than treating it as an afterthought. This approach ensures that security is built into the design and development process from the start, much like incorporating airbags into a car during manufacturing rather than adding them later.
Platform engineering plays a significant role in enhancing security. Platform engineers build environments for internal teams, including QA, security, IT, DevOps, and developers. This role requires a deep understanding of networking, infrastructure, virtualization, Kubernetes, software development, and security. It is a position suited for senior or principal-level engineers with extensive experience.
Platform engineering focuses on creating supportable, sustainable, and secure platforms for developers. Leveraging expertise to deliver secure and reliable systems aligns with broader IT goals.
Integrating security into every aspect of application development and modernization is crucial. Adopting DevSecOps principles, emphasizing platform engineering, and taking a holistic approach to security are essential for building secure applications. By prioritizing code security, reducing the attack surface, and leveraging expertise, organizations can enhance their security posture and ensure successful modernization efforts.
Podcast Information:
Stephen Foskett is the Organizer of the Tech Field Day Event Series, now part of The Futurum Group. Connect with Stephen on LinkedIn or on X/Twitter.
Michael Levan is a Network Engineer as well as a Kubernetes and Containers Trainer, Consultant, and Content Creator. You can connect with Michael on LinkedIn or on Twitter. Found out more about Michael on his blog or on his YouTube channel.
Mitch Ashley is the Principal Analyst and CTO at the Techstrong Group. You can connect with Mitch on LinkedIn and view more of the content he appears on at the Techstrong TV website.
Paul Nashawaty is a Practice Lead focused on Application Development Modernization at The Futurum Group. You can connect with Paul on LinkedIn and learn more about his research and analysis on The Futurum Group’s website.
Learn more about the Tech Field Day podcast on the Tech Field Day website. Follow the podcast on X/Twitter and follow Tech Field Day and Gestalt IT on LinkedIn for more great content.
Thank you for listening to this episode of the Tech Field Day Podcast. If you enjoyed the discussion, please remember to subscribe on YouTube or your favorite podcast application so you don’t miss an episode and do give us a rating and a review. This podcast was brought to you by Tech Field Day, home of IT experts from across the enterprise, now part of The Futurum Group.
