The Seven Habits of Highly Effective DevSecOps
By now you will have heard of DevSecOps, the movement that seeks to make better quality software by incorporating security principles into the software development process right from the start.
High-profile cyber attacks just keep coming, and it doesn’t take a genius to realize the collateral damage resulting from an attack is often far greater than the dollars spent on trying to prevent it. An enterprise’s reputation now rides on how it treats and protects data, both its own and that of customers, and so it’s time to re-evaluate security practices.
I wanted to share a recent news item. It’s the finding that the median number of days attackers spend on an enterprise network before being detected was 146 (from the Mandiant M-Trends report). That’s nearly five months of lurking, probing an enterprise’s digital assets for the weakest access point to confidential customer data. In that time, could your digital initiative stand tall and impenetrable against an inside attack… or would it be vulnerable? Both cyber security specialists and developers increasingly believe DevSecOps is the answer. And we haven’t even mentioned CA’s acquisition of Veracode. It seems that the need for more secure DevOps is also translating into major market moves.
Even if enterprises know that DevSecOps is important, when it comes to hardwiring security into applications, it can be difficult to know where to start. That’s why we’ve come up with our critical steps – the Seven Habits of Highly Effective DevSecOps.
1. Cultural change: You’ve heard it before. Just as DevOps wasn’t an off-the-shelf product you could plug and play, so DevSecOps will require a mindset and a cultural change before you feel its benefits.
2. Adjust team structures: Agile working has taught us a lot about the benefits of small, focused teams. The same applies for DevSecOps. Wherever possible, incorporate mentoring or coaching opportunities so that vital security know-how is disseminated through the team.
3. Show you are serious: When trying to instigate a change in mindset, it’s not enough to say security is important. Demonstrate its value to the enterprise through a mix of hard targets (e.g., team KPIs) and softer incentives (rewarding great DevSecOps practices with praise). How you approach training in this area speaks volumes about your commitment so make sure to regularly top up team knowledge. If team-wide training is costly or impractical, consider workarounds, like sending one or two members to a training day on the understanding they’ll be asked to report back to the rest of the team.
4. Secure-as-you-code: The core idea behind DevSecOps is to build security into your digital initiatives as you go. Clearly it’s a topic we could spend a lot of time on, but for now we’ll stick to a few top tips.
- Ensure security plays an active role early in development.
- Securing the CI/CD pipeline can be a challenge for beginner DevOps teams. In the words of the community organization, DevSecOps, “CI/CD is fast; security is mostly not.” It advocates whitelisting and other practical methods to help secure CI/CD.
- Security controls benefit from automation too: A recent survey by Sonatype suggests that “58% of mature DevOps teams automate security as part of their CI practices” and “42% perform application security analysis at every stage of the SDLC”, compared with much lower figures for less mature DevOps operations.
5. Playing games: That’s what a red team-blue team exercise might feel like, but simulating a security snafu is anything but child’s play. This kind of exploit testing has its merits and tends to be much more illuminating than relying on planned-for scans. Similarly, white hat testing is another method for testing how your project performs in real-world conditions.
6. Design data capture with proactive monitoring in mind: Catching hackers can feel like an almost impossible task because their methods are always evolving to stay one step ahead. In the DevSecOps mindset, tracking and understanding your app data is key to spotting anomalies. Similarly, new initiatives should be designed with secure data capture in mind.
7. Share information: Make it easier for team members to stay on top of security and spot new threats by getting better with information sharing. A good move could also be to implement a system of shared, standard libraries that are maintained for all to use. It’s a useful, time-efficient way of banishing common security problems.
I hope we’ve given you some food for thought when it comes to baking in security practices. If you’re on the cusp of a digital initiative and you’d like more detailed information about incorporating security into your work from the get-go, there are numerous valuable resources online. We like this ZDNet article on the principles of DevSecOps, for instance. The community organization DevSecOps is helpful for more in-depth quandaries. And of course, you can always contact us for our practical findings from working with security teams to achieve quality at speed and scale.