When we heard the news that Puppet, a company that is primarily regarded as a DevOps tech company talking about security vulnerability and venturing into security and remediation, we decided to have a chat with Jonathan Stewart, Senior Product Manager of Puppet to understand more about Puppet’s new plans.
|Jonathan Stewart, Senior Product Manager of Puppet|
We were interested in why Puppet, a company focused on infrastructure automation made an announcement that was security focused. Were they jumping on the “Cybersecurity bandwagon”?
We threw them some question to find out more and their answers gave us some clarity. There’s a lot of detail in this interview, but our attention was drawn to the fact that many vulnerabilities are because of human and configuration error, not malicious, but very exploitable none-the-less. In this respect the expertise in infrastructure automation applied to security makes sense. Being able to find and remediate these kind of configuration vulnerabilities at scale does seem like something in Puppet’s sweet spot.
According to Jonathan, security shouldn’t be separated from DevOps as DevOps teams automate manual tasks away and choose Puppet to do just that. Given Puppet’s strength in this area, Jonathan explained that it made sense for them to focus their efforts on vulnerability remediation. Puppet’s deep understanding of DevOps disciplines and their strength as an infrastructure automation vendor implied that infrastructure and security teams need to work together when it comes to vulnerability management workflows.
“Security practices and security teams should not be siloed from the development and operations teams. In fact, DevOps practices can help to improve an organisation’s security posture. Our recently published 2019 State of DevOps Report found that companies that integrate security from the beginning of their software lifecycle say their security practices are more than twice as effective as companies that don’t. What matters is for companies to integrate security from the earliest stages of software development.”
With that said, we were curious about the targets of Puppet Remediate. Were they going to be IT and Cybersecurity vendors or was Puppet going to work directly with an organisation?
Jonathan answered that Puppet Remediate helps organisations mitigate their security risks sooner, enabling IT Ops to reduce the number of vulnerabilities faster and at scale. It eliminates repetitive and error-prone steps in the vulnerability management workflow, from manual data handover between InfoSec and IT Ops to vulnerability prioritisation and remediation. To put it simply, any company that uses software opens itself to potential security vulnerabilities and should find it in their interest to ensure that such vulnerabilities are taken care of.
“With Puppet Remediate, a company can unify infrastructure and vulnerability data, quickly identify what infrastructure resources are impacted by vulnerabilities and take action to remediate the vulnerable packages based on what infrastructure their business stakeholders need to be prioritised. It works with both Linux and Windows. For instance, the sudo vulnerability was recently announced and can be remediated with Puppet Remediate.”
Jonathan pointed out that Puppet Remediate is aimed squarely at the remediation space and the ability to actually fix vulnerabilities rather than simply finding them. Referring to Forrester’s 2018 security survey published in 2018, he added that 58% of enterprise organisations suffered a breach at least once in the previous year, and over 41% of those external breaches exploited some software vulnerability.
“There’s a huge and untapped market for remediating vulnerabilities. With the addition of Puppet Enterprise, organisations can take a more proactive approach to continuous compliance with operational, security and regulatory policies with our policy-as-code capabilities and reuse their code across both Puppet Remediate and Puppet Enterprise when it makes sense to do so.”
So, is Puppet really venturing into cybersecurity? Looking at their solutions, they definitely seem to be serious in venturing into the industry. But with the cybersecurity market already filled with other company’s offering remediation solutions as well, it will be interesting to see Puppet’s influence in this area in years to come.