How to develop a road map to resilience with DevSecOps
Every team within a company needs to recognize security as part of the fundamental fabric of the business. That means all teams—from the business groups translating requirements into architecture and functionality to developers creating code and to operations deploying and scaling applications—have to work together to ensure that security is as tight as possible.
Security is not a destination, but a long journey on a road full of twists and potholes. To progress, your company's leadership needs a map showing the current security situation and the long-term planned endpoint, with achievable and measurable milestones clearly marked.
A good road map for the journey is the difference between getting closer to your goal every year and getting waylaid and giving up. Here's how to get started.
Don't trail-blaze—use others' wisdom
The eventual goal for any organization's security program is to have a plan for continual security improvement. You don't have to create your own map, however. A variety of communities have road maps to help companies improve their security and advance along the path to better maturity. These approaches can allow your company to uncover its blind spots and set achievable goals.
For companies focused on improving application security, several resources can be very helpful. Where OWASP's Top-10 Web Application Security Risks helps create awareness of the top 10 risks regarding web applications, OWASP Proactive Controls gives companies a minimum bar for security requirements.
In addition, the CWE/SANS Top 25 Most Dangerous Software Errors can be a blueprint for security training for developers, while the OWASP Application Security Verification Standard (ASVS) gives you a preset of application security measures and the verification of the security level. The MASVS does the same for mobile applications.
More holistic security programs can benefit from the NIST Cybersecurity Framework, a resource produced and managed by the National Institute of Standards and Technology. That framework provides a collection of best practices and guidelines to help companies manage their security maturity and risk.
A software assurance maturity model (SAMM) can also help you create a security plan using others' wisdom and experience. Maturity models are critical because they give companies a baseline, a road map, and the visibility to continually improve their security.
Three major maturity models exist: the Open Software Assurance Maturity Model (OpenSAMM), the OWASP SAMM, and the Building Security in Maturity Model (BSIMM). OpenSAMM is an open framework that helps organizations formulate and implement a strategy for software security that's tailored to the specific risks facing your organization. BSIMM is a fork of OpenSAMM, originally created by Cigital, with the aim of studying the software security practices and security operations of participating companies. OpenSAMM did not continue development and was donated to OWASP in 2019, which continued it as OWASP SAMM. OWASP SAMM aims to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture.
Any of the maturity models above should help your organization map out a balanced software security program, demonstrate concrete improvements through the security assurance program, and define and measure security-related activities within the organization.
Define SMART milestones to measure progress
Your road map should have flexible goals using specific, measurable, achievable, relevant, and time-bound (SMART) milestones.
Good places to start are to evaluate the security of an application, process, or the entire business through a baseline scan and self-assessment. OWASP SAMM has a self-assessment template for companies, a way to determine how prepared your company is for the journey. For companies that are resistant to assessing their security, compliance is often a useful driver to get on the path. While compliance requirements are no substitute for security, security champions that use such requirements to drive security often have success.
Finally, trust is very important when doing a self-assessment, and it's essential for keeping all employees onboard for the journey. Leverage the earned trust from bridge building (see previous article in the series) during self-assessment to gain the most honest picture possible. In addition, do not abuse that trust. Don't bash; nurture and guide.
Quick wins make for a strong start
Getting initial buy-in from executives and management—and retaining their support—is crucial to improving the security maturity at any company. Yet, for companies that have some security efforts already underway, a reassessment often seems to cost more effort or more resources, even for small improvements, and significant costs can hobble the journey from the start.
Compliance can be a useful driver to get on the path. The milestones should also state the business value to make the ROI visible. Outlining the value of these changes can help prevent a loss of confidence. Successes with achieving milestones must be shared and celebrated with your teams.
By starting small and defining a clear road map with flexible goals created using SMART milestones, you can find quick wins. In addition, finding the right team for the job through hiring and training and creating a program to continue their education can help create a culture of security. Setting common requirements, focused on quality and proactive security controls, can create an expectation with which the entire company should comply.
Embrace the security journey
Companies that embrace the security journey will see tremendous payoffs. By laying the foundations and building bridges for better understanding between business teams, companies will establish the necessary culture to improve security. By mapping out the path to a more mature focus on security through SMART goals, organizations can make sure to turn their intent—a more resilient business and hardened applications—into actual achievable goals. Finally, community resources and maturity models will help companies refine their approaches to security as they mature.
Overall, your security team should be transparent about expectations for the journey and the decisions made along the way. Do not be the unreachable expedition leader, but a guide that helps your company get to where it needs to be.
This is the second in a series of posts about leveraging DevSecOps in your business to reduce sleepless nights for chief information security officers and application security managers, while reducing friction with security teams and maintaining agility and speed of delivery for development. The goal is to guide CIOs, CTOs, and CISOs and achieve a win for everyone: faster delivery of more secure, and therefore higher-quality, software as well as oversight and control regarding the enterprise software assets.