How to empower elite DevSecOps performers

Shira Shamban Co-founder and CEO, Solvo

The most recent Accelerate: State of DevOps Report describes what elite-performing DevOps engineers look like. The key differentiator for those DevOps-focused software engineers is velocity. They iterate fast from commit to deployment, they deploy frequently, and they recover quickly.

Velocity via automation is fundamental to DevOps and CI/CD culture. Building the right pipes and process helps create an elastic, scalable, and secured infrastructure and applications.

Here's how you can use cloud and DevOps principles to leverage and automate security.

On-demand and self-service

As a DevOps engineer you can help your clients provision any resource they want, without human interaction. How? Through preparation and templates.

Yes, it's a lot of work. And yes, you can integrate security into those templates. That way, developers don't have to worry about misconfiguring the infrastructure. (For the most part, even when they worry, they still misconfigure it. They might as well use your template.)

Provide secured, and broad, network access

Working from home has become much more prevalent in the last six months or so, and it looks as if it's here to stay. You need to allow your organization to provide secured access to any resource your developers need, from anywhere they want. This includes laptops, mobile devices, workstations, etc.

Since many of us share our at-home bandwidth with family members (and unintentionally our neighbors, too), you should incorporate a zero-trust mechanism in your networks and access points.

Allow for rapid elasticity and resource pooling

Provision and assign resources dynamically and at scale, as much as needed. A growing startup, for example, should design its infrastructure while thinking about the future. Someday it might have to support a hundred times, or even a thousand times, more users than it currently does.

Your design right now should support this growth automatically. There are many use cases where scaling down will also be necessary, so think about triggers for that as well.

Measure your services

One of the great powers of the cloud is that everything can be monitored. The logs and metadata are there; you just have to activate them and stream them to your favorite log analysis software. It's going to help you both for ops and security purposes.

You can control, detect, respond, and optimize. If you haven't done it by now, enable your flow logs and choose "all" actions. (The default is to log accepted traffic, even though what's rejected has much to tell you.)

CI/CD is also all about automation

Add automated testing to your CI process, so that any broken code will be detected quickly and the relevant developer will be notified and get a chance to push corrections fast as well. Code should be clean of operation bugs, but also of security bugs and issues, and there's no reason not to test them together. This will give developers a lot of confidence in their code and in your pipe.

The CD process should allow teams a lot of independence; you should minimize the dependence on other teams for support or resource approval. As stated before, build the pipeline to be as self-service as possible; this will save you and your team time from repeating the same tasks, and specifically the security-related tasks that no one likes to do.

Put these principles into action

How exactly are you going to implement all of these principles and be awesome DevOps or DevSecOps engineers? With the right tools. You know a tool is right when it integrates well with your current pipe and processes.

Even if setup takes a little time, it's going to save you a lot of time down the line. Elite performers automate any process they can and free up their time to do the things they have passion for.

Here are a few open-source tools that I find useful and that help me automate security along the CI/CD pipeline.

  • Pre-commit: Talisman helps make sure your developers are not committing credentials and tokens.
  • Secrets management: AWS secrets manager addresses the common bad practice of storing credentials in configuration files. Using a secrets manager can mitigate the risk of losing credentials.
  • Software dependencies check: Everyone uses open-source and third-party code and packages, which often contain vulnerabilities. OWASP Dependency Check helps check that problem on a regular basis.
  • DAST: OWASP ZAP scans your web applications.
  • SAST: Check out OWASP's analysis on different tools for this, based on the relevant coding languages they support.

Now you've got what it takes to be an elite DevSecOps performer.

Read more articles about: SecurityApplication Security

More from Application Security