Subscribe to get the latest
#88 Collaborative DevSecOps
on Mon May 23 2022 17:00:00 GMT-0700 (Pacific Daylight Time)
On this episode, Darren talks with Sophos’ Callen Sapien, Director of Product Management, Sophos Factory, and Mike Fraser, VP of DevSecOps about their product that allows for truly collaborative SecDevOps.
Mike’s experience as a cybersecurity engineer in the Air Force and then working in development, security, operations, and managed services led him to a goal of creating a product that could be collaborative to build modern automation around what he calls IT as code. He wanted to look at DevSecOps holistically, bringing everyone together.
His resulting product, Sophos Factory, creates modern solutions around building blocks with the features, functionality, and user experience that can be utilized across the full spectrum of technical talent. This was a complex problem to solve, including visually working people, developers who code, etc……. It also had to bridge the gap between hardware and software, using an agile process across teams.
Sophos Factory is more than just a CI/CD pipeline. That is a small part of the whole system, which works end to end from development, security, operations, and deployment with features like a visual builder, DSL, and support for all content in its native format. It also ties into existing systems. It brings in all the different teams and the different tools they use, so it is significantly beyond simply making a pipeline or automation.
Individual users are presented with the pieces they are familiar with, but all with the same interface. For example, a set of scripts can be built from a visual format. A security person can consume the same interface with the tools and artifacts they expect. A full-stack developer or a DevOps engineer can pull in and build all of the artifacts in a way the other teams can use. It’s not the creation of a pipeline for an automation piece but an interconnective fabric between disparate systems.
Integration means the movement of data, but it also means actions. For example, suppose someone uses Jira on the coding side, ServiceNow on the IT ops side, and an incident response piece on the security side. In that case, you can integrate all those pieces and fire off something to Slack, so everyone has visibility and can respond in near real-time.
Sophos Factory packages modules into pipelines for reusability, which become building blocks. These can be built around various use cases, but the goal is that you are creating something that can be used over and over again. For example, suppose you are using ServiceNow and want to create a ticket. In that case, you use that across various other use cases around network automation, infrastructure automation, cloud, native security, etc. It is solution-building rather than just automating these things together. The last piece is future proofing, not just repeatability. You can add or subtract from the overall pipeline that’s not possible with hardware but also very difficult with existing systems such as CI/CD systems that are made for releasing software to production, not for holistically building a solution and maintaining the lifecycle over time.
With Sophos Factory technology, you can package different tools to help adhere to standards such as CIF or NIST 853 and have them available as low code or no code pipelines. Sophos Factory diverges from other automation technology with its sharing via solution catalogs. You can publish automation building blocks, complete solutions, or consume automation created by other teams. This creates a tremendous amount of flexibility.
Version control is built into the pipelines and the solution catalogs. If you are using a solution pipeline from a record that somebody else published, you can set it at whatever version you want or pull from the latest version to get any updates. RBAC is also part of the system in case you want only particular users to have, for example, read-only access. With the interoperability of Sophos Factory, you can also integrate scanning tools to maintain visibility in the pipeline. You can also run different channels around policy tools.
Sophos Factory weaves together security and IT workflows, creating an excellent integration point among the three-headed monster of Dev, Sec, and Ops.
To improve security, Sophos Factory has a zero-trust and attestation product, but they also work with other security products such as HashiCorp Console. Zero-trust and attestation capability is the natural evolution to authenticate between different systems. Rather than static credentials, there are now better ways to communicate and share attestation among the others securely.
Sophos Factory has a built-in credentialing system for key management, and it supports HashiCorp Vault and cloud-native templates. They can also help critical management services built in the cloud and packaged around a pipeline. There is not just a credential variable at runtime but also a credential step that is only evaluated at runtime. They can layer on top of these security tools, so they naturally become part of your building solution.
Sophos Factory is in the RPA space, but it is far beyond a typical RPA runner. They are technically RPA because, although humans are still involved in making things, the machines are leveraged to automate the process. Customers are looking for ways to scale and get value from the IT they purchase securely. Sophos Factory embraces helping technical talent level up and giving them access to toolsets, getting more out of them, and doing it securely.