Application security, DevSecOps, Security Strategy, Plan, Budget

How to establish a DevSecOps organization

Share
Today’s columnist, Chris Buijs of NS1, points to Kubernetes expertise as one of the new skills essential to building a successful DevSecOps team.

DevSecOps integrates automated security checks and hardening into every stage of the software development and deployment process. Practitioners aim to have risk-checked applications fully developed and into production at the speed the business needs, making continuous incremental improvements.

Enterprises are now taking notice, though few have already made the leap to get there. Most companies are still mulling the question: “How do we get from where we are today to where we want to be?”

For software developers accustomed to a phased system in which design, development, and testing are sequential steps, DevSecOps represents a complete upheaval of the processes they know. The same can be said for IT Operations teams, which are accustomed to setting and forgetting their configurations. Establishing a successful DevSecOps organization requires new mindsets, new tools, and a cooperative culture.

Here are some recommendations for getting started:

  • Be intentional about culture. Most successful DevSecOps programs develop a work culture that encourages sharing knowledge, mentoring each other, and empowering the team to innovate and take risks. Develop shared goals, metrics, and rewards. Also, work to shift mindsets from monolithic, risk-averse, static, and centrally-controlled to more dynamic, community focused, decentralized, and contribution-based.
  • Start small, and focus on process and upskilling. Start small and hone the “build, fail, fix, repeat” mindset while developing new skills from within. Areas to focus on for upskilling include: Linux and scripting; top-tier programming languages and utilizing SDKS; cloud and container technology, such as Docker, AWS, Kubernetes, and SaaS/IaaS-liaised equivalents; proficiency with cybersecurity topics and security-by-design concepts; risk assessments and threat modeling; and continuous integration/delivery/testing/monitoring and agile methodologies.
  • Bring on new talent to pave the way. Consider hiring a few experienced outside people to show others the way. Sometimes companies need a fresh look at their problems with no preconceived notions.
  • Combine best-of-breed tools. Take advantage of development, automation, testing, and monitoring tools that make it easy for a developer to just hit a button and have the vulnerabilities and security deficiencies surface, right within the development process where they can address them promptly. Some to consider: Ansible, Codacy, Snyk, Hashicorp’s tool suite, Puppet, Chef, GitHub/GitLab, Aqua Security, IDS/IPS systems, and SIEM technologies.
  • Consider outsourcing. Some find it easier to engage a third-party company to become their outsourced DevSecOps organization. This minimizes the upfront investment and lets them tap into a larger pool of resources and take advantage of more experienced professionals, especially valuable in regions where there’s limited talent. After a few years, the company can integrate the outside group into the larger organization.
  • Don’t try to reinvent the wheel. Talk to other companies, including those outside the industry to learn how they dealt with the transition. This can help avoid making mistakes they stumbled through and can accelerate the company’s own strategy.

Major shifts often come with hiccups. For starters, companies may find converting an existing organization too challenging, expensive, and/or time-consuming, which can hold back DevSecOps and digital transformation or development projects in general. Instead, use new applications and projects as a way to phase into DevSecOps. Once personnel, processes, and tools are in place and working efficiently, gradually transition or decommission older software and products.

Companies also find budgeting difficult. DevSecOps requires investment in new tools, and training, and some new people, as well as running a new process alongside legacy development for a while. Just know that costs will go up before they can come down and know that you may have to articulate the potential return on investment to stakeholders. Here’s a situation where it might make sense to outsource.   

Keep in mind that the “Ops” people will likely push back on the many rapid configuration changes that are needed. Appeal to them with a trade-off: Automate the mundane infrastructure changes so the organization can free up to do more interesting architectural planning and design work.

If the organization just needs to add the “Sec” to DevSecOps, prepare to address culture changes upfront. DevOps pros are familiar with “develop quickly,” but they need to expand to a “develop quickly and securely” mindset. It’s important to teach them about security policy and rules along with the associated risks of not building security into development. Communicate to them the benefits, such as time saved in rolling back problematic releases.

Transitions to DevSecOps are full of challenges and pitfalls. It requires a major cultural as much as a technological shift. But it’s worth the investment. Companies that have succeeded are well-positioned to bring secure new business systems to market as quickly as they are needed. That’s a decided competitive advantage every company wants.

Chris Buijs, Field CTO, NS1

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.