by Matthew Flannery – CTO of Accelera Group
This article is the first introductory chapter in a series which will follow, where we will explore what DevSecOps means, and how it can be adopted.
The concept of DevSecOps isn’t a new one. At its core it’s simply about embedding security into DevOps by ‘shifting security left’, aligning it with the CI/CD pipeline(s) (Continuous Integration/Continuous Delivery) and the SDLC (Software Development Life Cycle).
Logically it makes sense given the importance of security and the thousands if not millions of dollars that organisations invest in strengthening their security posture – and the possibility of even greater financial and reputational pain when a breach occurs that isn’t managed. People understand that for agility – things need to be automated; walls need to be brought down, the right tools and processes put in place; and it should be no different in adding this other vital dimension to the application delivery measurements of velocity and quality– security.
Why is security still a mirage?
Security isn’t at the end of a sprint, or just at the start, or indeed seen as an overlay or advisory service from another team. Unfortunately, there isn’t a single switch or single tool that will take you from DevOps to DevSecOps and those looking for such a “shortcut” will find it challenging to get started.
Security should be automated and embedded
Integrating security automation so that assessment and remediation advice is readily and always available to the engineering team has to be at the forefront of the DevSecOps program you develop. This continuous feedback loop is critical to a successful DevSecOps model. Otherwise the human nature to avoid rather than confront will very quickly creep in.
However, automation for automations sake, and without considering how it is consumed or actioned, will continue to impede you in getting past the impression of “being asked to do more work with no more time in the day to do it”. As one technologist put it “automation applied to an inefficient operation will magnify the inefficiency”.
Ensuring repeatable, measurable and efficient processes, using pre-configured best practice security policies; allows for the streamlining and removal of the delays of existing manual involvement. With security embedded into each phase it will claim its rightful place as an important tenet of application quality.
The opportunity to adjust your CI/CD pipeline and SDLC to include security is available and must be taken.
Security should be everyone’s responsibility
Simply expecting your current engineering teams to also “do the security things” or become security experts organically is unrealistic given they are likely goaled on speed of delivery, getting useful features created, and ensuring the environment is reliable and robust. Fostering a culture of security being a shared responsibility, and ensuring that there is universal buy-in cements the effectiveness of your DevSecOps program
A successful approach to building a DevSecOps culture is to cultivate and promote security champions. These champions empower the cross-functional DevOp teams to focus on the benefits of application security and security operations, to overcome the sentiments of security being a tax and an impedance to performance. These champions could develop from within the team, or may need to be introduced; regardless, they play a vital role in ensuring security is inclusive, offering guidance, triaging and encouraging others to play their part.
Tell me and I forget … involve me and I learn
Involving the team in integrating the security practices is the most effective and efficient way to share knowledge and upskill your team. Arming the team with security training such as threat modelling and risk assessments, secure coding, security testing techniques, threat awareness and incentivising or gamifying the achievement of defined security goals, will embed the sense of ownership required for DevSecOps to succeed.
Orchestration and automation are synonymous with agility and velocity; with backlogs and storyboards waiting to be addressed, dedication to upskilling, tooling and ensuring everyone understands the expected benchmark security posture required for applications to pass through the pipeline is the only way to go from the desire to be doing DevSecOps to actually achieving it.
Breaking it down – eat an elephant one bite and a time.
Simply stating that security needs to play a role in everything we do, gets the elephant in the room out in the open. However, merely stating the fact doesn’t help overcome it, and you will likely be met with resistance if an achievable, pragmatic and incremental approach is not taken.
Shifting left to the development stage will reduce the cost and time associated with finding problems late or in production. Eliminating need to dedicate sprints to solve issues that needn’t have been there to begin with. Further activities as you move through the pipeline are vital to mitigate the chance of compromise on your DevOps ecosystem itself, exploitable software making it to production, and ensuring you are aware of, protecting against and planning beyond, a breach, and can respond accordingly in your customers interest when it comes.
It doesn’t however mean that you need to introduce and optimise every practice from day one, and as with the continuous improvement model of DevOps, allow your security program to mature and develop over time.
Ultimately, prioritising is key; you can and should view your DevSecOps meal as a series of courses that don’t all have to be brought out with the starters.
So… What the Sec is DevSecOps?
We’ve put together the following infographic to help answer the question of “What is Security in DevSecOps?”. With security fully integrated to CI/CD pipelines and your software delivery SDLC, DevOps and DevSecOps become the same thing.
As you will see in the series to follow, there are many opportunities and security practices that can be incorporated to help identify and resolve vulnerabilities, and make for resilient and robust applications at the pace the business demands. We will dive into each of the key phases and provide insight and ideas on how to activate DevSecOps within your organisation.