Tag Archives: tackle

IBM Spectrum Protect supports container backups

IBM Storage will tackle data protection for containerized and cloud-based workloads with upcoming updates to its Spectrum Protect Plus backup product and Red Hat OpenShift container platform.

Like other vendors, IBM has offered primary storage options for container-based applications. Now IBM Spectrum Protect Plus will support backup and recovery of persistent container volumes for customers who use Kubernetes orchestration engines.

IBM Spectrum Protect Plus supports the Container Storage Interface (CSI) to enable Kubernetes users to schedule snapshots of persistent Ceph storage volumes, according to IBM. The company said the Spectrum Protect backup software offloads copies of the snapshots to repositories outside Kubernetes production environments.

IBM will offer a tech preview of the container backup support in the OpenShift platform that it gained through its Red Hat acquisition. The tech preview is scheduled for this year with general availability expected in the first quarter of 2020, subject to the availability of CSI snapshot support in Red Hat OpenShift, according to Eric Herzog, CMO and vice president of world storage channels at IBM.

“The problem with Kubernetes is there’s really no standard storage architecture. So you’re starting to see all of the vendors scramble to implement CSI driver support, which links your Kubernetes containers with backend storage,” said Steve McDowell, a senior analyst at Moor Insights and Strategy.

CSI snapshots

McDowell said IBM and other vendors are stepping up to provide CSI drivers for general-purpose backend storage for containers. He said few, if any, tier one vendors support CSI snapshots for data protection of Kubernetes clusters.

But enterprise demand is still nascent for persistent storage for containerized applications and, by extension, backup and disaster recovery, according to IDC research manager Andrew Smith. He said many organizations are still in the early discovery or initial proof of concept phase.

Smith said IBM can fill a gap in the OpenShift Kubernetes ecosystem if it can establish Spectrum Protect as a platform for data protection and management moving forward.

Randy Kerns, a senior strategist and analyst at Evaluator Group, said early adopters often stand up their container-based applications separately from their virtual machine environments.

“Now you’re starting to see them look and say, ‘What data protection software do I have that’ll work with containers? And, does that work in my virtual machine environment as well?'” Kerns said. “This is an early stage thing for a lot of customers, but it’s really becoming more current as we go along. OpenShift is going to be one of the major deployment environments for containers, and IBM and Red Hat have a close relationship now.”

IBM Spectrum Protect Plus for VMware

In virtual environments, VMware administrators will be able to deploy IBM Spectrum Protect Plus in VMware Cloud on AWS. IBM said Spectrum Protect would support VMware Cloud on AWS, in addition to the IBM Cloud and various on-premises options available in the past. Herzog said IBM Spectrum Protect Plus would support backups to additional public clouds starting in 2020, in keeping with the storage division’s long-standing multi-cloud strategy.

Also this week, IBM introduced a new TS7770 Virtual Tape Library built with its latest Power 9 processors and higher density disks. The TS7770 will target customers of IBM’s new z15 mainframe, Herzog said.

Go to Original Article
Author:

Mature DevSecOps orgs refine developer security skills training

BOSTON — IT organizations that plan to tackle developer security skills as part of a DevSecOps shift have started to introduce tools and techniques that can help.

Many organizations have moved past early DevSecOps phases such as a ‘seat at the table‘ for security experts during application design meetings and locked-down CI/CD and container environments. At DevSecCon 2018 here this week, IT pros revealed they’ve begun in earnest to ‘shift security left’ and teach developers how to write more secure application code from the beginning.

“We’ve been successful with what I’d call SecOps, and now we’re working on DevSec,” said Marnie Wilking, global CISO at Orion Health, a healthcare software company based in Boston, during a Q&A after her DevSecCon presentation. “We’ve just hired an application security expert, and we’re working toward overall information assurance by design.”

Security champions and fast feedback shift developer mindset

Orion Health’s plan to bring an application security expert, or security champion, into its DevOps team reflects a model followed by IT security software companies, such as CA Veracode. The goal of security champions is to bridge the gap and liaise between IT security and developer teams, so that groups spend less time in negotiations.

“The security champions model is similar to having an SRE team for ops, where application security experts play a consultative role for both the security and the application development team,” said Chris Wysopal, CTO at CA Veracode in Burlington, Mass., in a presentation. “They can determine when new application backlog items need threat modeling or secure code review from the security team.”

However, no mature DevSecOps process allows time for consultation before every change to application code. Developers must hone their security skills to reduce vulnerable code without input from security experts to maintain app delivery velocity.

The good news is that developer security skills often emerge organically in CI/CD environments, provided IT ops and security pros build vulnerability checks into DevOps pipelines in the early phases of DevSecOps.

Marnie Wilking at DevSecCon
Marnie Wilking, global CISO at Orion Health, presents at DevSecCon.

“If you’re seeing builds fail day after day [because of security flaws], and it stops you from doing what you want to get done, you’re going to stop [writing insecure code],” said Julie Chickillo, VP of information security, risk and compliance at Beeline, a company headquartered in Jacksonville, Fla., which sell workforce management and vendor management software.

Beeline built security checks into its CI/CD pipeline that use SonarQube, which blocks application builds if it finds major, critical or limiting application security vulnerabilities in the code, and immediately sends that feedback to developers. Beeline also uses interactive code scanning tools from Contrast Security as part of its DevOps application delivery process.

“It’s all about giving developers constant feedback, and putting information in their hands that helps them make better decisions,” Chickillo said.

Developer security training tools emerge

Application code scans and continuous integration tests only go so far to make applications secure by design. DevSecOps organizations will also use updated tools to further developer security skills training.

Sooner or later, companies put security scanning tools in place, then realize they’re not enough, because people don’t understand the output of those tools.
Mark FelegyhaziCEO, Avatao.com Innovative Learning Ltd

“Sooner or later, companies put security scanning tools in place, then realize they’re not enough, because people don’t understand the output of those tools,” said Mark Felegyhazi, CEO of Avatao.com Innovative Learning Ltd, a startup in Hungary that sells developer security skills training software. Avatao competitors in this emerging field include Secure Code Warrior, which offers gamelike interfaces that train developers in secure application design. Avatao also offers a hands-on gamification approach, but its tools also cover threat modeling, which Secure Code Warrior doesn’t address, Felegyhazi said.

Firms also will look to internal and external training resources to build developer security skills. Beeline has sent developers to off-site security training, and plans to set up a sandbox environment for developers to practice penetration testing on their own code, so they better understand the mindset of attackers and how to head them off, Chickillo said.

Higher education must take a similar hands-on approach to bridge the developer security skills gap for graduates as they enter the workforce, said Gabor Pek, CTO at Avatao, in a DevSecCon presentation about security in computer science curricula.

“Universities don’t have security champion programs,” Pek said. “Most of their instruction is designed for a large number of students in a one-size-fits-all format, with few practical, hands-on exercises.”

In addition to his work with Avatao, Pek helped create a bootcamp for student leaders of capture-the-flag teams that competed at the DEFCON conference in 2015. Capture-the-flag exercises offer a good template for the kinds of hands-on learning universities should embrace, he said, since they are accessible to beginners but also challenge experts.