DevOps Institute

An Interview With a DevSecOps Manager

DevSecOps and Cybersecurity

June 8, 2022

Photo of hands typing across from another set of hands on a desk

By Feisal Ismail, Principal Consultant, Sapience Consulting

DevSecOps is not just a passing fad. It is a specific implementation of DevOps with a focus on security being integrated into the deployment pipeline. It allows organisations to scale secure development practices throughout the organization leveraging on automation and heightened cyber risk-aware culture.

DevOps Institute Ambassador, Feisal Ismail sat down (virtually) with Ding Lit Hwang, a DevSecOps practice manager in a leading news and media conglomerate headquartered in Singapore encompassing newspapers, magazines and digital content business.

1. Why DevSecOps? What is the issue you are trying to solve by implementing this practice?

I joined this organization three years ago and there was already a DevOps practice in place, albeit in its formative stages. A DevOps team was supporting developers in doing monitoring and source code control and management, for example. One of the biggest issues then was CD being interpreted as Continuous Deployment.

Automatic deployments to production were causing incidents because of developmental mistakes, and moves to production were done during office hours which caused a significant loss of goodwill with the business. We immediately put a stop to several practices which include allowing developers to deploy code into production automatically and gating the deployment process with approvals required from key stakeholders via a ticketing system. The incidents showed that there is a significant risk to the business and this practice had to be fixed. Consequently, there was a reduction in production incidents.

Application Security effort was outsourced and rudimentary, limited to mainly penetration testing. Even then, these tests found significant issues and vulnerabilities that took time for development teams to address them. This did not cut it. Much of our source codes were developed in-house and it made sense for application security to also be done in-house. A decision was made to implement and scale security practices like code scanning and secure coding which involved the active participation of developers.

We partnered with a vendor to organize a hackathon and bug bounty driven by the newly minted Cybersecurity organisation. There was a concerted effort to embed and seam in Application Security practices into the software development process. We did not allow Application Security to be viewed as a barrier for deployments but as a natural part of it.

You may be interested in – How to Build a DevSecOps Program: 5 Key Insights for 2022

2. What is the next step for the growing DevSecOps practice?

To advance DevSecOps, the application security practice will need to evolve. Currently, much of the gating done were “soft-gates” where stakeholders can authorize moving to the next stage by waiving off adherence to security standards. As part of the evolution, we intend to implement “hard gates” where deployment stops if certain pre-determined mandatory security requirements are not met. We think that the business stakeholders and developers are mentally ready for that step.

Get Certified in DevSecOps Foundation or DevSecOps Practitioner

3. If you had to do it all over again, what would you do differently? What were your biggest challenges?

To be honest, I would have probably engaged a third party to assess, identify and prioritize the gaps and help define an implementation roadmap that is realistic. In hindsight, our DevSecOps implementation approach is rather haphazard and we were constantly derailed or distracted by operational issues. I would have done it as part of a managed program with a shared understanding of the objectives, roadmap, timelines, investments and business changes that are required for DevSecOps. The outcomes might still be the same but there is a shorter and less painful runway for the transformation.

My biggest challenge then and now is hiring good, qualified and experienced people. There is a high demand for DevOps and security skillsets. There are way sexier options out there with eCommerce, financial institutions and technology giants getting the first bite of top talent. Additionally, I feel that the current internal equity within my organization does not compare well with that of the companies we are competing for talent with. Of course, we are also exploring upskilling our current workforce but that would mean that we cannot evolve at the pace we desire.

4. Any final words of advice for those entertaining the idea of implementing DevSecOps?

DevSecOps is not just a buzzword. It delivers real benefits to the business but does require lots of careful consideration and investment. Recognize that every organization is set up differently and it would be good to learn from leading industry frameworks and practices. Be clear on what is the problem you are trying to solve with DevSecOps and contextualize your practices to suit your organization.

Do not disregard the cultural and mindset shift that is necessary. Your people must be prepared to embrace the change.

Lastly, put some numbers and measurements to track the progress of your DevSecOps implementation. You need to demonstrate to the business the outcomes and impact of these changes. It’s got to be justified.

You may be interested in – DevSecOps: Does the Human Factor Play a Role?

Link to original article

Feisal loves to talk (and listen). He is also a DevOps Institute Ambassador. As an accredited trainer for the comprehensive suite of courses with DevOps Institute, he has trained countless technology professionals in the Asia-Pacific region in subjects ranging from DevOps (foundational and advance courses), DevSecOps and Site Reliability Engineering in addition to Governance, Risk and Compliance (GRC) and IT Service Management. He is a firm believer in sharing knowledge and experiences and believe in facilitating meaningful conversations to enable personal and organisational growth. His favourite superhero-com-father-figure is Batman.
sidebar graphic with register for London SKILup Festival on September 13, 2022CTA

Membership at DevOps Institute

related posts

8 Insights From the Upskilling IT 2022 Report [Infographic]

8 Insights From the Upskilling IT 2022 Report [Infographic]

By Eveline Oehrlich Chief Research Officer, DevOps Institute This year’s Upskilling IT Report reveals a critical need to close DevOps skills gaps, identifies top skills capabilities, and highlights emerging job roles to help individuals and organizations accelerate IT...

[EP81] What is a “Radical Enterprise” with Matt Parker

[EP81] What is a “Radical Enterprise” with Matt Parker

On this episode of the Humans of DevOps, Jason Baum is joined by Matt K. Parker, author of A Radical Enterprise: Pioneering the Future of High-Performing Organizations. Matt and Jason discuss successful and truly radical business models, what leads folks to try and...

What Are Cloud AI Developer Services?

What Are Cloud AI Developer Services?

Cloud AI Developer Services are growing and cloud providers now offer these services to developers. These hosted models allow developers to gain access to Artificial Intelligence/Machine Learning (AI/ML) technologies without needing deep data science expertise.  As an...