When it comes to protecting your cloud-based assets, security needs to be a top priority across the organization. Evolving to higher levels of DevSecOps capability is not simple, but there are many experts who understand the critical components of a strong security program.
Nearly 85% of Upskilling IT respondents said DevOps or DevSecOps are critical or important operating models to have. So we reached out to DevOps Institute Ambassadors, who offered their insights on how to build a strong DevSecOps program:
- Tracy Ragan, CEO and Co-founder, DeployHub –
“Shifting security left into the hands of developers is becoming increasingly critical. This shift is not going to be easy. Developers have lots of responsibilities. Adding security requirements to their workload will be, and has always been, at best, a ‘second thought.’ To start building out a DevSecOps program, upper management must be 100% behind the initiative with funding for additional tooling around supply chain management, ‘service governance’ and learning for upskilling. Commitment to both generating and using a software bill of materials (SBOM) will be an essential first level of defense in the DevSecOps movement. The first step is to build a cyber and infrastructure security team that can evaluate where the organization is at, determine a plan and be ready to do a lot of hand-holding to implement.” - Vishnu Vasudevan, Head of Product, Opsera –
“No company can afford to compromise on security, yet it often gets missed when organizations are focused on trying to outcompete and deliver new features at speed. Building a DevSecOps program starts with the intention to share the responsibility among each and everyone in the technology organization by shifting security practices left in the development process—doing them earlier. Additionally, incorporating security practices all the way through to the operations team often reduces risk at a greater level by providing the necessary control and visibility across the organization.
To bolster security and automation across the software delivery lifecycle, teams often consider a variety of tools available in the market. However, it is always challenging to choose the best security tools that address the vulnerabilities and also complement existing toolchains and processes. With any new tool, there is a learning curve at implementation and the timeline could vary anywhere between two to three weeks. Sometimes, implementation can take months in larger organizations thanks to legal and compliance policies.
Try making security an organic part of your development and operations teams as much as possible, whether through a declarative pipeline model or otherwise. This helps the entire organization go faster while building better quality software with security, compliance and quality gates baked into the delivery lifecycle.” - Najib Radzuan, Principal, Digi Telecommunications –
“A good DevSecOps adoption program starts with doing a DevSecOps capability assessment resulting in a report that:
– Defines “DevSecOps” for your organization
– Describes your organization’s current DevSecOps capabilities
– Details the DevSecOps capability assessment findings (area, what we learned, challenges/gaps)
– Summarizes the top takeaways from assessment findings
– Outlines the quick-wins and recommendations to advance capabilitiesTeams can use a DevSecOps framework to support their DevSecOps journey. It should be underlined with the four DevSecOps pillars:
– Culture. Changing from awareness about security/DevSecOps to what we can do with DevSecOps.
– Process. How to transform from DevOps to DevSecOps, or from the traditional to the modern and secure method.
– Technology. How to use technology to be able to do a proper DevSecOps transformation.
– Governance. Any initiative needs a good policy and governance so the organization can streamline the process and the dos and don’ts.” - Marc Hornbeek, CEO and Principal Consultant, Engineering DevOps Consulting –
“Building a DevSecOps program requires a strategic approach that encompasses people, technologies and process solutions. People requirements include executive leadership alignment around security vision, goals, priorities, and allocation of resources for training, tooling and automation. Technology requirements include the selection of tools for security threat modeling, software scanning, packaging, testing, analysis and reporting. Process requirements include automation and integration of security controls with applications, pipelines, and infrastructures.” - Parveen Arora, Founder and Director, VVnt SeQuor –
“DevSecOps is an operational framework to bridge the dev and security teams. It’s built with the integration of security teams and security tools directly into the software development lifecycle, leveraging the automation and efficiencies of DevOps to ensure application security testing occurs in every build cycle. This promotes automated security testing, just like automated application build and deployment with your automated quality checks. Appointing a security champion to echo that security is everyone’s responsibility.
Key points for building a DevSecOps program:
– Recognize DevSecOps as a cultural change
– Train existing teams on security processes and methodologies
– Align your security practices with your development workflow (and the reverse)
– Evangelize that security can keep the pace with velocity needs
– Expand security practices from vulnerability prevention to vulnerability identification
– Allocate security budget to support the development workflow pipeline” - Mark Peters, Product Manager, BrainGu –
“The first thing to remember when building a DevSecOps program is that it isn’t about tooling. Too many of us make the assumption that because we have a pipeline in Jenkins, or GitLab, and it includes multiple tests, gates, and security sensors, we have done all we needed to have a comprehensive DevSecOps program. DevSecOps means implementing a culture dedicated to flow, feedback, and continuous experimentation that results in delivering value faster to the customer.Security, just like features and operations, is a customer requirement that contributes value. Understanding how features and security relate gives you the first step to iterate development, to manage the flow. Interaction with customers on those small delivered items then provides feedback, and lets you know whether the next step is to continue to build, or try something a little different. Teams must build their internal culture to have blame-free discussions that allow advancing a secure and functional product. If your team can’t do those basics, you have a long way before you can call yourself a true DevSecOps team.”
Ambassadors agree that for DevSecOps to be successful, not only are the tools and practices important, but security truly needs to be baked into company culture and become everyone’s responsibility. Helen Beal, DevOps Institute Chief Ambassador, said, “I’d avoid building a program and instead nurture a culture where security is everyone’s job and an adaptive and responsive DevSecOps framework is in place for continuous compliance.”
Next Steps
Learn more about implementing a DevSecOps program through our DevSecOps courses.
Listen to: Humans of DevOps – DevSecOps and Safer Internet with Jamal Walsh