Number of incidents affecting GitHub, Bitbucket, Gitlab and Jira is rising (opens in new tab)

(helpnetsecurity.com)

23 pointst_believ-er8731y ago13 comments

13 comments

11 comments · 4 top-level

thanksgiving1y ago· 5 in thread

In my opinion, the only true solution is to slow down “velocity” in development teams. If the developers are to be held responsible for producing good, secure code, Only the developers can decide when a feature is ready, not the business.

If the business wants to dictate deadlines, the business is responsible for security.

Edit: I should say development team to include qa, but we don’t have those anymore at most places.

mhitza1y ago

Velocity slows down already with time on all projects (I have yet to see a project where this is not true).

Managers and higher ups might like to pretend this phenomenon doesn't exist, and could pressure the teams to deliver "something" earlier because of their naturally slowed down velocity, which result in prod issues.

I've also been on the other end, where developers felt self inflicted pressure to deliver, because they saw how much they've slowed down.

rco87861y ago

TBH, I think this way of thinking is part of the problem. It's not "developers vs the business". Developers are part of the business.

ASalazarMX1y ago

Developers vs marketers? Vs product managers? Vs CEOs?

They might be part of the business, but they usually have little authority regarding business decisions. Most developers are just told what the business wants.

1 more reply

albertopv1y ago

> Only the developers can decide when a feature is ready

It's the business that pays the wages. Also, time to market is most important (for everyone but Apple), coming later with a better product often doesn't mean a viable business. Problem is almost nobody is promoted for maintaining or improving an existing product, no C-level is interested in tech debt management/reduction, anywhere.

freilanzer1y ago

> It's the business that pays the wages.

It's the developers who do the work.

1 more reply

drewcoo1y ago· 2 in thread

The industry response to this seems to be "DevSecOps," where the only real "Sec" is reactionary monitoring. Monitoring doesn't keep incidents from happening. It only raises internal awareness.

This is the best that most separate security teams do, too.

In all fairness, the "DevOps" part of things can manage deploys in ways to minimize exposure. But most teams that I've seen revert to manual "process" whenever something unusual occurs, so forget about the ideal automated responses to problems we were promised when we were trying to automate sysadmins out of their jobs. There are several layers of broken here that we're not allowed to talk about.

t_believ-er873OP1y ago

You're right about "Sec" in DevSecOps. Unfortunately, often it’s just about being reactive monitoring. It’s true that monitoring alone doesn’t prevent incidents but rather just tells you after the fact that something has gone wrong. The real challenge is integrating proactive security measures that actually prevent incidents before they occur or measures that can help to handle the consequences, like MFA, encryption, regular backups and their testing, Disaster Recovery, etc.

soco1y ago

Oh but we do talk and even praise the "move fast break things" - until it's actually broken, that is.

firtoz1y ago

I wonder if eventually we'll go back to either "more open" or "more decentralised" versions of these, in the longer term. I know there are quite a few that exist, which is in a way already "somewhat decentralised", but some may need to be more "inter-connected" to at least have some of the core "moat" functionalities of GitHub e.g. "see all things this person worked on", "how active are they in the overall community", etc. I can think of some technical bridges, at least...?

CAP_NET_ADMIN1y ago

Around 2021 a lot of higher-up people at my company pushed for moving from our local Gitlab instance (neatly hidden in our segmented VPN network) to the global one - because that's what all of the cool guys are doing.

I've resisted this, because I know that I can sleep peacefully at night when the inevitable monthly "GitLab Critical Patch Release" email comes.

j / k navigate · click thread line to collapse

13 comments

11 comments · 4 top-level

thanksgiving1y ago· 5 in thread

If the business wants to dictate deadlines, the business is responsible for security.

Edit: I should say development team to include qa, but we don’t have those anymore at most places.

mhitza1y ago

Velocity slows down already with time on all projects (I have yet to see a project where this is not true).

I've also been on the other end, where developers felt self inflicted pressure to deliver, because they saw how much they've slowed down.

rco87861y ago

TBH, I think this way of thinking is part of the problem. It's not "developers vs the business". Developers are part of the business.

ASalazarMX1y ago

Developers vs marketers? Vs product managers? Vs CEOs?

They might be part of the business, but they usually have little authority regarding business decisions. Most developers are just told what the business wants.

1 more reply

albertopv1y ago

> Only the developers can decide when a feature is ready

freilanzer1y ago

> It's the business that pays the wages.

It's the developers who do the work.

1 more reply

drewcoo1y ago· 2 in thread

The industry response to this seems to be "DevSecOps," where the only real "Sec" is reactionary monitoring. Monitoring doesn't keep incidents from happening. It only raises internal awareness.

This is the best that most separate security teams do, too.

t_believ-er873OP1y ago

soco1y ago

Oh but we do talk and even praise the "move fast break things" - until it's actually broken, that is.

firtoz1y ago

CAP_NET_ADMIN1y ago

I've resisted this, because I know that I can sleep peacefully at night when the inevitable monthly "GitLab Critical Patch Release" email comes.

j / k navigate · click thread line to collapse