DevOps Institute

How to Build a DevSecOps Program: 5 Key Insights for 2022

DevSecOps and Cybersecurity

May 13, 2022

White cctv outside the building, security system with vintage color tone
When it comes to protecting your cloud-based assets, security needs to be a top priority across the organization. Getting to DevSecOps maturity is not a simple or clear path, but there are many experts who understand the critical components of a strong security program.

Nearly 85 percent of Upskilling IT 2022 respondents said DevOps or DevSecOps are critical or important operating models to have. So we reached out to DevOps Institute Ambassadors, who offered their insights on this important topic. Here are some high-level insights on how to build a strong DevSecOps program:

  1. “Shifting security left into the hands of developers is becoming increasingly critical. This shift is not going to be easy. Developers have lots of responsibilities. Adding security requirements to their plate will be, and has always been, at best, a ‘second thought.’ To start building out a DevSecOps program, upper management must be 100 percent behind the initiative with funding. Additional tooling around supply chain management and ‘service governance’ will be needed. A commitment to both generating and using a software bill of materials will be an essential first level of defense in the DevSecOps movement. The first step is to build a CISA team that can evaluate where the organization is at, determine a plan and be ready to do a lot of hand-holding to implement.” – Tracy Ragan, CEO and Co-founder, DeployHub
  2.  “Security is one thing that no company can afford to compromise, yet it is often getting missed with growing competition and the speed to market mindset. Building a DevSecOps program starts with the intention to share the responsibility among each and everyone in the IT organization by shifting security practices left in the development process. Additionally, incorporating security practices all the way through to the operations team often reduces risk at a greater level by providing the necessary control and visibility across the organization.

    To bolster security and automation across the software delivery lifecycle, teams often look to a variety of tools available in the market. However, it is always challenging to choose the best security tools that address the vulnerabilities and also complement your existing toolchain and processes. As with any new tool, a learning curve is to be expected before being implemented and the timeline could vary anywhere between two-to-three weeks and sometimes, it can take months in larger organizations due to the legal and compliance policies.

    Try making security an organic part of your development and operations teams as much as possible, whether through a declarative pipeline model or otherwise. This helps the entire organization go faster while building better quality software with security, compliance and quality gates baked into the delivery lifecycle.” – Vishnu Vasudevan, Head of Product at Opsera

  3. Demonstrate your knowledge with a DevSecOps Certification

  4.  “A good DevSecOps adoption program starts with doing the DevSecOps Capability Assessment, or DSOCA, and it will come up with a DSOCA report that consists of the below structure:
    1. Definition of “DevSecOps”
    2. DevSecOps Maturity Level
    3. DevSecOps Capability Assessment findings (Area, What we learned, Challenges/Gap)
    4. The top takeaways from #3
    5. The definition of the current DevSecOps maturity level for the organization.
    6. The Quick-Win and Recommendation for #4 and how to move to the next step based on #5

    Once the above is set and determined, we need an excellent DevSecOps framework by using all the top takeaways and recommendations from the DSOCA report.

    DevSecOps framework

    It’s must be underlined with the four DevSecOps pillars:
    – Culture – Changing from awareness about security/DevSecOps to what we can do with DevSecOps.
    – Process – How to transform from DevOps to DevSecOps, or from the traditional to the modern and secure method.
    – Technology – How to use technology to be able to do a proper DevSecOps transformation
    – Governance – Any initiative needs a good policy and governance so the organization can streamline the process and the dos and don’ts.” – Najib Radzuan, Principal, Digi Telecommunications

  5. “Building a DevSecOps program requires a strategic approach that encompasses people, technologies and process solutions. People requirements include executive leadership alignment around security vision, goals, priorities, and allocation of resources for training, tooling and automation. Technology requirements include the selection of tools for security threat modeling, software scanning, packaging, testing, analysis and reporting. Process requirements include automation and integration of security controls with applications, pipelines, and infrastructures.” – Marc Hornbeek, CEO and Principal Consultant, Engineering DevOps Consulting
  6. “DevSecOps is an operational framework to bridge the dev and security teams. It’s built with the integration of security teams and security tools directly into the software development lifecycle, leveraging the automation and efficiencies of DevOps to ensure application security testing occurs in every build cycle. This promotes automated security testing, just like automated application build and deployment with your automated quality checks. Appointing a security champion to echo that security is everyone’s responsibility.

    Key points for building a DevSecOps program:

    1. Recognizing DevSecOps as a cultural change
    2. Train existing teams on security processes and methodologies
    3. Align your security practices with your development workflow (and the reverse)
    4. Evangelize that security can keep the pace with velocity needs
    5. Expand security practices from vulnerability prevention to vulnerability identification
    6. Allocate security budget to support the development workflow pipeline” – Parveen Arora, Founder and Director, VVnt SeQuor

Ambassadors agree that for DevSecOps to be successful, not only are the tools and practices important, but security truly needs to be baked into company culture and become everyone’s responsibility. Helen Beal, DevOps Institute Chief Ambassador, said, “I’d avoid building a program and instead nurture a culture where security is everyone’s job and an adaptive and responsive DevSecOps framework is in place for continuous compliance.”

To learn how to strengthen DevSecOps at your organization with practical, how-to sessions, join DevOps Institute for SKILup Day DevSecOps on May 19, 2022. There’s still time to save your seat! Register: https://www.skilupdays.io/devsecops-22


Graphic of person with laptop for Upskilling IT 2023 Survey with button to take the survey

Community at DevOps Institute

related posts

Get to Know the Singapore SKILup Festival Speaker Lineup

Get to Know the Singapore SKILup Festival Speaker Lineup

The first-ever DevOps upskilling experience in the Asia Pacific region–SKILup Festival: Singapore–is quickly approaching on November 15, 2022, taking place at e2i West Venue. This is going to be an EPIC in-person one-of-its-kind event as Developers, IT Operations,...

[EP 89] Cybersecurity with a Song featuring Rachel Tobac

[EP 89] Cybersecurity with a Song featuring Rachel Tobac

Episode Details Episode 89 of the Humans of DevOps Podcast features Rachel Tobac. Rachel is a hacker and the CEO of SocialProof Security where she helps people and companies keep their data safe by training and pentesting them on social engineering risks. Rachel was...

DevOps Institute Announces Singapore SKILup Festival

DevOps Institute Announces Singapore SKILup Festival

Early Bird pricing and registration is now open for the conference dedicated to empowering the people who power IT LEHIGH ACRES, Fla,–Sept. 27, 2022 – DevOps Institute will host SKILup Festival in Singapore on November 15, 2022. The event will empower the people who...