DevSecOps

Paradoxes point towards areas of reality that are poorly understood or obfuscated by how we use language to model reality. Investigating seeming paradoxes is a key to gaining greater understanding of how the world works.

  • How can free will exist if God is omniscient?

  • How is it that we learn from history only that we cannot learn from history?

  • How can secure software be developed at speed and scale?!  

Perhaps God doesn’t exist? Perhaps free will is an incoherent concept? Perhaps ‘history’ is a misleading conceptual superimposition on the ever-changing present moment?

Perhaps security can be used to enhance software delivery?

This is the ultimate IT paradox for modern global enterprise organizations: go fast. No, actually go faster. But, and this is critical, it better be secure.

The answer to this seeming paradox points us in the direction of DevSecOps. DevSecOps is the answer to integrating these seemingly contradictory enterprise challenges into a coherent and effective approach to software delivery.

DevSecOps embeds security and governance requirements code across the entire software development pipeline. Security is made part of the operating model that enables you to develop software at speed and scale.

By including security at every stage in the software lifecycle, enterprises can reap significant the benefits:

  • Reduced costs

  • Increased delivery speed

  • Increased recovery speed

  • Enhanced monitoring, auditing, threat hunting

  • Reduced vulnerabilities

  • Increased code coverage

  • Infrastructure is ‘secure by design’

  • Continuous improvement

  • Global security responsibility

  • Culture of transparency and openness

  • Secure innovation at speed and scale

And all of the above translate into: increased sales!

In this short blog series, we will cover best practices for adopting DevSecOps across the three central pillars: people, process and technology.

Getting to DevSecOps: People

No matter how many technologies you decide to implement, the weakest link of that chain will always be the human factor, and this must be the starting point for any DevSecOps implementation.

One of the most important aspects of DevSecOps is challenging the way traditional security teams integrate with the wider business. Changing habits and raising awareness across all levels of a company are not easy tasks and require a top-down approach if attitudes are to change.

Here are some excerpts on specific practices you can use when designing the people component of your transformation as taken from our our whitepaper, Introduction to DevSecOps and Best Practices for Adoption.

1. Breaking Down Barriers and Silos 

For security to be effective, we need to include security concerns - and the security ‘mindset’ - as early as possible in the software delivery pipeline.

One way of doing is this is with security champions.

Security champions are members of a team that help to make decisions about when and how to address security concerns. Security champions act as the ‘voice’ of security for a given product or team, and they assist in the triage of security bugs for their team or area. They are evangelists for the security mindset, obsessively expounding on the importance of security across all areas!

Some of the most important duties of the security champion include the following:

  • Emphasize security concerns across all teams - not just the ‘Security Team’

  • Evangelize the ‘security mindset’

  • Ensure that security is not a blocker on active development or reviews

  • Empowered to make decisions

  • Work with AppSec team on mitigations strategies

  • Help with QA and Testing

  • Write Tests (from Unit Tests to Integration tests)

  • Help with development of CI (Continuous Integration) environments.

2. Training Your Staff

Any successful DevSecOps program will invest in good training and professional development for its staff. Training must be rooted in company goals, policies, and standards for software security, and learning media must be flexible and tailored. To foster and develop good security staff, organizations must provide new hires with the appropriate training and tools they need to do their jobs well, and to contribute to the successful release of secure software. Engaging specialist security and DevOps training organization(s) to raise staff skills and awareness are essential for maintaining consumer trust. Good training ensures that standards are implemented correctly.

3. Culture is Everything

Simply having the proper DevSecOps processes and technologies will not be enough to achieve anything if the company culture – embedded in people across all areas of the business – does not enable those processes and technologies to be properly utilized.

The security team has traditionally been a drag on release performance. They become the ‘Department of “No”’ and, as a result, are marginalized over time, creating a self-reinforcing downward spiral of division between teams. DevSecOps aims to break down these barriers and stop security from being its own echo chamber without taking into consideration the wider business when implementing policies or tooling.

When DevSecOps is fully embraced there is no longer a single ‘Security Team’ but a constantly improving security mindset across the business.

The Foundation for Security

Proper training, a restructuring of teams and the appointment of security champions means that security becomes less the function of a single department and more a frame of mind that permeates the company - starting in particular with development teams.

This sets the foundation for the successful implementation of security processes and technologies, providing enhanced security much earlier in any development project. This also ensures quicker, easier and cheaper software delivery cycles.

Converting the people in your organization is the foundation stone of DevSecOps, but there are important considerations across processes and technologies as well. If you’d like to learn more about our vision for DevSecOps in the enterprise - across people, process and technology - check out our free guide: Introduction to DevSecOps & Best Practices for Adoption.

  • Emre Erkunt

    Principal DevSecOps Consultant

    Emre has over two decade’s experience in IT across giant enterprises as well as start-ups. He’s has always been intrigued by security – whether on his Amstrad CPC 464 when he was six years old, watching the evolution of languages and OSs (GNU/Linux) or playing with the latest DevSecOps tooling. He takes a K.I.S.S. approach to his work: keep it simple, stupid!

    More Articles by Emre