Hiking map

A developer's guide to the world of DevSecOps

At the center of any successful DevOps initiative is a simple but often overlooked concept: Because developers drive the software agenda, their participation is crucial to achieving a more secure framework. Yet simply acknowledging this fact won't get the job done—developers need to be in the center of an application security strategy for it to be effective. This next evolution is what we call DevSecOps.

Today, nobody disputes the need to move fast and deploy code quickly. An agile framework underpins success in the digital age. But rapid innovation can conflict with stability and security. Without security, DevOps merely introduces vulnerabilities into software faster. To resolve these conflicts, the gaps in feedback loops need to be closed. Too often, teams are not effectively integrated, and these connecting and intersecting loops—often between different teams, but even within the same teams—aren't optimized effectively. As you can imagine, this results in gaps and problems with code development, meaning slower delivery schedules and serious vulnerabilities that create increased security risk.

In many organizations, the underlying problem is that security isn’t addressed until the end of the software development lifecycle. The result? Developers often find creative ways to work around security controls that slow them down or create more work. In the quest to move quickly, developers inadvertently create new and bigger problems. Fortunately, these shortcomings can be addressed, as developers are set to launch off into the DevSecOps world.

The goal of DevSecOps is to introduce a framework that builds a bridge between fast and secure software development. And the best places to start is with the culture, the technology, and process optimization. Here are three best practices for DevSecOps.

Application Security Research Update: The State of App Sec in 2018

1. You need a good foundation

To start, culture should focus on openness and ongoing learning. Within the DevSecOps world, trust and cooperation are everything, and ongoing training and learning pay enormous dividends. As you build a culture that emphasizes openness and learning, establishing strong feedback loops will be key. Moreover, security champions who understand security within both the Dev and Ops groups will be necessary to help in transitions, infusing their knowledge and enthusiasm while bolstering team autonomy. These leaders will empower their teams and give them the authority to determine many of their own processes and tools based on their needs.

2. Technology will also have to transform

The ability to automate security testing—through scripting, static and dynamic analysis, composition analysis, and integration of testing with existing tools and within processes—goes a long way toward identifying flaws early in the lifecycle and speeding up the delivery of secure code. It’s better to fail early, at the developer's desktop, than late, on the customer's laptop or smartphone. Once the transition is made, don’t accept high false positives—too many, and developers will start distrusting and working around the new tools. Finally, it will all be for naught if there is no emphasis on orchestration. All systems are prone to bugs and errors that can only be overcome through orchestration of code and systems during rapid spin-ups and shutdowns. Equally important: Teams should be empowered to act without waiting for edicts from the CISO or other security professionals.

3. Optimize your processes

All of the changes should be working under a holistic model that encourages team autonomy and high levels of communication, responsibility, and accountability. This includes regular code reviews, security exercises, and performance measurements and benchmarks. Furthermore, response mechanisms and procedures should be established, such as code-grooming guidelines, threat-modeling methods, and policies for developers to escalate issues to the security team. Enterprises that promote the right culture, embed the right technology, and develop robust processes tied to metrics and key performance indicators (KPIs) create a DevSecOps framework that reduces problems and minimizes emergencies.

Take the next step

According to the 2016 State of DevOps Report, only 22% of organizations have made the switch to DevOps. Even among those organizations, DevOps is not uniformly used across teams and products. However, there are some examples of organizations that have successfully adopted DevOps and are on their way to DevSecOps. They’re demonstrating that a highly focused approach results in net gains for development teams, the enterprise, partners, and customers.

For instance, Capital One moved from a waterfall approach to a continuous deployment environment that relies heavily on containers, microservices, and cloud technology. CIO Rob Alexander has stated that this has helped reduce bureaucracy and technical debt. And Netflix is often seen as a unicorn in the DevOps world. With DevOps at the center of everything, its applications run on a variety of viewing devices to create a seamless technology interface. So how can you get on the same trajectory?

There are a couple of easy steps you can take immediately:

  • Join and contribute to the Open Web Application Security Project (OWASP) or promote certifications such as the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) within you organization.
  • Online training options, such as e-learning offerings from app sec companies or even YouTube, are a great starting point.
  • Read everything, from The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations, by Gene Kim, et al.,  to industry blogs and podcasts from leaders in the space.

Secure software is a journey

The journey to DevSecOps presents enormous opportunities and challenges. Ultimately, you have to break down the barriers that block the three Cs of DevOps: communication, collaboration, and cooperation. Developers who help build a framework that supports DevSecOps are poised for a level of speed, innovation, and disruption that puts them and their organization at the forefront of the application economy. Don't panic. Embrace change, and you will be rewarded.

Topics: Security