Industry experts discuss the benefits of operating with a DevSecOps approach, as oppose to just a DevOps approach. We take a look at what is driving a DevSecOps approach, some of the challenges faced, and how organisations can achieve success.
DevSecOps is an abbreviated term for Development Security Operations and is involved in integrating security within the DevOps process. DevSecOps forces people to consider security while carrying out development operations. There are many benefits to using this type of approach and Tim Mackey, Senior Principal Consultant at the Synopsys CyRC (Cybersecurity Research Centre); and Bharat Mistry, Principal Security Strategist at Trend Micro, are here to tell us more.
Tim Mackey, Senior Principal Consultant at the Synopsys CyRC (Cybersecurity Research Centre):
What is the historic relationship between DevOps and security?
DevOps is an attempt to bring attributes of Total Quality Management and Six Sigma into the software world. Key to its success is the philosophy that new features should be small and that anyone viewing a quality issue has the authority to stop production. It’s often viewed as bridging the gap between those producing the software and those deploying it; with feedback along the way. This approach allows for agile development where rather than wait for a periodic major release, development teams embracing release their features as they are finished. This approach of smaller features delivered more frequently allows not only for higher quality output, but also enables security assessments of that output to be more focused.
What is driving the need for a DevSecOps approach?
Software security is an attribute of software development which recognises that external threats are as important to product success as any defect analysis might be. With agile development practices at the core of DevOps, DevSecOps seeks to provide contextually relevant security reviews in an automated fashion based on the nature of the features being created. The security results are then presented to the developers as they are creating their features which provides feedback at a point when the developer is thinking about the feature, not several weeks or months later as might be the case in traditional development streams.
What challenges do organisations seeking to adopt this approach face?
The single biggest challenge facing those adopting DevSecOps is context. Developers don’t want more work and don’t want to sift through lengthy reports in an effort to discover a relevant security defect. Since DevOps is about people and process, creating a security process which works for an organisation requires that the Dev and Ops teams be directly involved in defining the security process for their teams.
How can these challenges be addressed?
Successful security practices are those which improve the overall product or service with a minimum amount of friction. That is to say, if the pain of adopting the new security process is significant then any KPIs associated with the initiative will be difficult to meet. Solving for this requires engagement with the development teams who will be on the receiving end of any security issues being identified. Through collaboration, any people or process issues can be identified and compensated for at the outset rather than mid-stream.
How should this strategy be implemented?
When any new security tooling is introduced, it will inevitably find a series of issues which were hidden. Those issues will need to be triaged and tasks created to best address them. Some organisations may wish to resolve all issues before moving on to new work, while others may prefer a known status quo but require that new work be free from security defects. Both models are equally workable and the correct model will be team and product specific. Determining the correct solution requires that all stakeholders are part of the process defining both the workflow and any KPIs. Effectively, the team should be part of how ‘success’ is defined as ownership of process is a significant component of the DevOps culture.
Can you offer a breakdown of how CISOs/organisations can achieve success in DevSecOps?
Success will ultimately boil down to an improvement in security metrics and will likely follow a phased approach. Defining those metrics will be a joint effort between CISO/CSO/CTO and the teams involved. Importantly, a rubric like that from the BSIMM or OWASP communities can help identify areas of security strengths and weaknesses with the current teams. Armed with an understanding of these strengths and weaknesses, a CISO can then begin to identify areas for investment and define metrics to measure progress. While it’s tempting to solve these problems with tools, if teams are following a DevOps culture or just experimenting with Agile development practices, making key personnel from a DevOps or Agile team stakeholders will help increase support for your transition to a DevSecOps model.
Bharat Mistry, Principal Security Strategist at Trend Micro
How can organisations achieve success in DevSecOps?
Companies are facing a tough challenge: continuously develop products and services to meet user demand, while ensuring comprehensive security in the face of ever increasing and complex cyberthreats. Organisations shouldn’t have to make a choice between security and agile development and, in order to achieve long-term success, need to consider both of these principles in tandem. This can be done by embracing cultures such as DevSecOps.
Success in DevSecOps can be succinctly broken down into three main principles. The first is the development of a mindset within organisations, where developers and operations see security as part of their responsibilities, rather than it being siloed as a priority for Infosec teams. Executive or board level sponsorship is essential to driving a blame-free culture that promotes cross-silo goals and incentivises collaboration, thus reducing the ‘Not My Job’ philosophy that often halts DevSecOps. Secondly, businesses need to have the right processes in place to identify the ways to apply security without compromising agility. Finally, businesses must have the right technology in place to identify the best solutions.
Companies who are able to embed security into their pipeline in an automated way will soon see the true value in delivering innovative applications to their customers. Those that fail to do this will soon notice the friction from a disconnect between development and security, having to spend time altering security issues that are identified after deployment.
Traditional Infosec teams need to look at closing the gap by integrating with developers and operations team more closely, and should not just be seen as an additional step in the delivery pipeline, in order to achieve DevSecOps success.