SBN

Nexus Innovator: Bryan Batty of Bloomberg Industry Group, Part 2

Bloomberg_Industry_Group_LogoEditor’s note: This is Part Two of a four part series, talking with Bryan Batty, Director of Product and Infrastructure Security at Bloomberg Industry Group. In Part One, we talked about the use of open source components and how to manage their usage through Software Composition Analysis (SCA) tools. In this section, Bryan discusses his ideas around making security an essential part of the software supply chain.

“If you had nothing else, at least know that you can version your software, and that two different people working on it at the same time aren’t going to step on each other’s toes.” — Bryan Batty

Building a Secure Pipeline

Mark Miller:

If somebody is trying to wrap their head around the idea of a DevOps pipeline and putting security in as DevSecOps, where do you start?

Bryan Batty:

There are many different answers to that question. It depends on how big your organization is, how mature your pipeline is already. If you don’t have a pipeline, build a pipeline.

Mark Miller:

Define pipeline, what’s a pipeline?

Bryan Batty:

That would start with the source control system. If you had nothing else, at least know that you can version your software, and that two different people working on it at the same time aren’t going to step on each other’s toes. Even with modern pipelines, that does happen a little bit. Like GitHub, if you forget to pull before you push. There are issues with merging other people’s changes into your code.

Start out with a good source control system and also continuous integration. Basically, a good delivery pipeline, when you’re building software, includes quality gates along the way. Those quality gates are usually for testing, and you want to test to make sure the software is doing what (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/nexus-innovator-bryan-batty-of-bloomberg-industry-group-part-2-of-4