DevSecOps: More Than Just a Buzzword

September 2017 ยท 5 minute read

What is “DevSecOps”?

DevSecOps is a cloud synergy disruptor that supports the SDLC through integrated machine learning microservices technology!

KIDDING!

The word “DevSecOps” really got me going when I first heard it. I lumped it into the same camp as pretty much half the buzzwords you read above. However, when I actually started looking into it (because let’s admit it- when almost half of our clients were asking about it, I felt an obligation to at least understand why it was a garbage term), I realized that the idea behind the term is truly revolutionary for our industry.

The DevSecOps philosophy

It’s not a new technology, it’s not a new framework, and it doesn’t have “military-grade encryption”. DevSecOps is a philosophy more than anything.

It is simply a shift in how we think about integrating security into development and operations. That’s all.

What is the philosophy? I’ll outline it in one sentence: we’re all on the same team.

Allow me to elaborate:

  • Security needs to work with developers to make it easier to develop secure code. This means two things - automation and education.
  • Security needs to enable the business to move fast and take calculated risks. This means collecting, analyzing, and presenting appropriate metrics.

Automation

I’ll cover this point further in a later blog post, but the core idea here is that we have an integrated system with actionable results. No more wasting half our time sorting through false positives, with the other half fixing bugs because testing was done so late into the development process.

Pentesters: how many times have you run a pentest, submitted the report, and then a year later ran into the exact same findings? Too many, I’ll wager.

Developers/blue team: how many times have you run a static analysis security testing (SAST) tool and found over 1,000 findings? How many of those were false positives? How many were you actually able to fix before release?

No more of this crap!

No more!

It is only through building a security pipeline that mirrors our development pipeline that we can easily integrate security into existing development processes.

See the “Follow-up blog posts” section at the bottom of this article for a link to the guide I’ve written on how to actually implement a security automation pipeline.

Education

In a DevOps environment, developers must wear many hats. They are asked to do the job of developers, operations, QA, and security, all in the name of speed. This is a problem for a number of reasons, one of which is the fact that most developers don’t have any background in security.

It would be easy to blame the education system (how many Computer Science or Software Engineering programs actually have courses on application security?), but this is just the reality we live in, so we need to find a way to deal with that reality.

As the security experts in our organizations, we need to enable the developers to be able to write code securely. That means teaching them about application security, and getting them excited about the subject so that they continue to want to learn more themselves.

Developers are a bright group, and they need to be able to teach themselves new concepts to survive in this industry. Once you’ve sparked an interest in security, they will follow that rabbit hole much farther on their own than they would with any classroom or computer-based training.

The main idea here is this: developers are being asked to write code securely. Make sure they know what this means (it doesn’t have to be overly complicated).

Metrics

You can’t manage what you can’t measure. -Peter Drucker

Here’s the thing- every security program needs metrics to be successful.

Not only that- businesses need to take risk. By providing the appropriate metrics around security to key decision-makers, we are enabling our business to make the right decisions around risk.

Rather than relying on subjective, qualitative answers (which are prone to bias and variation), we need solid metrics that can ultimately tie back to the two most important things to your business- money and time.

Ultimately, metrics will help you:

  • Justify budget
  • Identify problem areas
  • Measure improvement
  • Understand risk

Find a way to accurately measure and analyze security across your organization and you will gain a keen insight into your business so you can understand where you need to focus, and what you need to do to improve your overall security.

I will be posting a blog post purely about security metrics soon, which will be included in the section below once it’s available. Stay tuned!

Final takeaway

In the brave new world of DevOps, business is moving faster than ever before, and developers are becoming responsible for much more than simply writing code. For security to keep up and even thrive, we need to stop being gatekeepers and become a unified team. That means enabling our developers to write code securely through education and automation. We need to enable the business as well by providing appropriate metrics to inform decisions around risk.

“DevSecOps” stands for developers, security, and operations, together. It stands for a philosophy of helping each other achieve more faster, and in doing so we help the business succeed as well.

Win-win all around.

Follow-up blog posts

Other resources