Ambassadors SKILup Day Blog: DevSecOps
DevOps Institute Ambassador from Chichester, England
“I always tell the story of how I was speaking about the DevSecOps Foundation course at AppSecEU in Belfast several years ago when a fellow presenter on the DevSecOps track said they didn’t like the term ‘DevSecOps’. Slightly thrown, since we were both talking on that track after all, I asked why. They said because they felt it was hard enough for people to understand what DevOps is, without adding additional terms and they also felt it put an organization at risk of creating another silo. Both valid points, I agreed, but the more I thought about it, the more I felt there is a place for DevSecOps. My view is that security was invited to the party late, if at all and I could see this reflected in artifacts like The DevOps Handbook where security is listed last in the subtitle and is featured in the final two chapters of the book. Not an afterthought as such, but not perhaps given the attention needed. In The Phoenix Project, John, the CISO, has a much more pivotal role when he and Bill, the lead character, together visit all the business units to fully understand what makes them tick. I often use the analogy of feminism to express my thought that until security has an equal place in the DevOps movement, it needs extra attention to place it where it needs to be.”
****
DevOps Institute Ambassador from Kuwait
“I view DevOps as the enabler for breaking silos between streams and fostering innovation and collaboration. DevSecOps is the natural progression to this vision and I strongly believe that with time, the framework will evolve to encompass even more streams and break silos. Today, in the product development journey, most organizations think of security as a last minute sanity check. The result of this is that development teams end up playing catch up with the ever evolving security threat response mechanisms. On the other end, the challenge in front of security teams is to ensure that new and ongoing developed software adheres to the current security polities, processes and tools. DevSecOps aims to provide a more holistic approach to software development where these three viewpoints (Development/Integration/Testing, Operations and Security) are addressed at every stage.”
****
DevOps Institute Ambassador from Santiago, Chile
“Today there is a pressing need to prioritize security in the software product development process. It’s quite evident there is a high number of cyberattackers looking for small holes to apply remote file injection or SQL injection dark techniques. For example, there have been at least two important public security events regarding DevOps tooling in the last 6 months: — Salt Stack Vulnerability — Docker Images infected by Doki
It’s fundamental to consider secure development practices from the very beginning of the development process and make them part of our DNA. I consider these to be the most essential DevSecOps postures:
- Penetration testing integration and deployment tests — Strictly immutable infrastructure — Automated secrets management
In view of the great relevance that container-based platforms are having, it’s important to move faster to the cgroups v2 Linux Kernel feature to gain advantages like rootless access to prevent runtime vulnerabilities and container isolation, making them almost inaccessible to attackers. As DevOps practitioners we must to ensure secure integrations and deployments to guarantee reliable products delivered to the final user.”
****
DevOps Institute Ambassador from Wellington, New Zealand
“Equifax — $575 Million, British Airways — $230 Million;
Information, data and application security cannot be taken lightly as some of the well-known organizations have paid significant fines; penalties as settlement for breaches. Being in the headlines for the wrong reasons is, of course, undesirable, as is the financial and reputational damage that results, and in some cases these are irreparable. Security is no longer an afterthought and merely a checklist to ticking the box. For me, DevOps and DevSecOps are the same — as we weave them nicely to the application, infrastructure, database development practices. As more and more organizations are moving towards cloud, adopting more complex microservices/distributed architecture — it is not just enough of your Dev & Ops writing code, it is about writing “Secure” code. Aim for the day when you could build your organization’s state of vulnerability report entirely by a single click, bring that visibility to your product teams, platform teams — embrace DevSecOps. Security is no longer a subjective discussion and compromise. “
****
DevOps Institute Ambassador from Hull, England
“You only have to look at data breaches in recent times to realise that security is more important than ever before. It’s always been important but when you introduce DevOps you have to be careful not to create other silos with information security. DevOps and DevSecOps are the same, security has to be part of everything we do from security in the development lifecycle all the way through to operations. DevOps enables us to do great things, the technology which enables pipeline automation and process automation is a key part of where security is also key. Make sure you think about security in your pipeline as automation is often an area which is overlooked where security incidents can happen. Applying the shift left principles to security as well as many of the other facets of DevOps makes a mature organisation one which is strong when it comes to security, has great processes in place and automation to help when the job of information security and protection of your company, employees and your client’s data becomes harder every day.”
****
DevOps Institute Ambassador/Founder of DevOps4Me from Kuala Lumpur, Malaysia
“It’s not a secret anymore; most developers use open-source software or libraries. Not all open-source components are not created equally; some of them remain vulnerable from the start while others get worse over time. If you have many third party dependencies, management is complex and, with tens of billions of downloads worldwide, it’s increasingly difficult to manage and direct libraries. Based on the NowSecure report on World’s Mobile App Economy statistics of mobile application usage last year (2019), the increase of mobile transactions and mobile devices users has drastically increased, while, on the other hand, we have a huge shortage of cybersecurity professionals. Therefore, with the help of a DevSecOps approach, organizations are able to detect and avoid vulnerability from the very start of their software development cycle. DevSecOps also promotes “security is everyone’s job”, not only AppSec or InfoSec jobs. Finally, feeling safe and secure is everyone’s essential need, hence secured CICD or DevSecOps pipelines are able to boost an organization’s confidence about their software products.”
****
DevOps Institute Ambassador from Florianopolis, Brazil
“Practice allows IT professionals to, with the right automation and application of tools, design secure application development while the product is still in the pre-production phase and increase code security from automated analysis before it goes into production. The automation of processes and security tests allow the IT team to be able to focus more on the evolution of the project and other tasks, considerably increasing productivity and delivery capacity, even in leaner teams. As more and more tests and processes are automated, the earlier the flaws are identified, reducing the incidence of vulnerabilities. The tests are more efficient and the whole process becomes more consistent and predictable, which makes it easier to identify problems. Security breaches can arise at any time and require a quick and efficient response from IT staff in resolving the problem. If professionals can rely on automated processes, the vulnerability solution can be implemented much more quickly and with greater precision. DevOps’ continuous delivery model accelerates lead time, so the team can develop, test and deploy updates as soon as possible.”
****
DevOps Institute Ambassador from Puerto Vallarta, Mexico
“DevOps compliance is a top concern of IT leaders, but information security is seen as an inhibitor to DevOps agility. Security infrastructure has lagged in its ability to become “software defined” and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way. Modern applications are largely “assembled,” not developed, and developers often download, and use known vulnerable open-source components and frameworks. DevSecOps aims to move the organization to a better security posture. Each security flaw is carefully identified and is fixed one at a time to close the most urgent security gaps. DevSecOps identifies the most vulnerable concerns ahead of time and identifies how to avoid or move away from these bad positions. Without proper consideration given to security engineering practices, the continuous delivery of software changes facilitated by DevOps is risky. On the other hand, DevOps provides an opportunity to reduce security risks if security is integrated into the continuous delivery pipeline according to engineering practices.”
****
DevOps Institute Ambassador from São Paulo, Brazil
“One of the most important aspects for application development is the concern for security. At this point, the culture of DevSecOps has to be an integral part of any project construction from its initial stages. The principles of availability, authenticity, integrity and confidentiality must go hand in hand with good development practices in order to guarantee a complete and safe experience for any application. We need to have a different look with all aspects that aim at data protection and integrity. Among the best practices, we can highlight an analysis of shared codes seeking to find vulnerabilities that affect systems, check the levels of access that are being created and even check which paths will be used to access this system. These concerns should be introduced as soon as possible in the projects and thus bring greater tranquility to everyone.”
****
DevOps Institute Ambassador from Dubai, UAE
“DevSecOps is a guardrail for embracing security in DevOps. Roles and responsibilities for the security team are non existent? I don’t think so. If DevOps engages developers to own what is built and deployed in production, technically speaking, developers own the security aspects as well. DevSecOps lets developers embrace security and own it too. Ultimately the decision of security is in the hands of the developers, unless we have a security team who can code. These are fundamental questions of the past where we have to move on, as DevOps teams do not have to answer to security teams to slow down the process or get policed. So, “What is the role of security teams?” you ask. Answer: ensure that security is part of the DevOps equation.”
****
DevSecOps Practitioner & DevOps Institute Ambassador from Singapore
“DevSecOps introduces the philosophy of integrating security practices and best practices into traditional DevOps processes. Security decisions become an integral part of the workflow without forfeiting speed or slowing down development but two seemingly opposing 2S goals -”Speed of delivery” and “Secure code”- are merged into one simplified framework. DevSecOps comprises creating a ‘Security as Code’ principles with ongoing, flexible alliance between Application designers and/or DevOps and/or QE(Quality Engineering) and/or release engineers and security squads. In alignment with lean practices in agile, security implementation and testing is done in iterations without slowing down delivery cycles. Critical security concerns are dealt with as they become outward, not after a threat or compromise has followed.”
****
DevOps Institute Ambassador from Bogotá, Colombia
“DevSecOps is another transistor chip on DevOps thinking and more interestingly on agile thinking. We all know the relevance of security at this time; construction processes must be efficient and integrated enough to create secure solutions from the beginning, from their guts, from their architecture. The innovative features of DevSecOps are revolutionizing the way security is viewed in the development lifecycle, taking it from the general and abstract to a day-to-day practice, to a practice with recommendations that team members execute every day and where architects should consider it from their first plans of system and solution architecture.”
****
DevOps Institute Ambassador from Texas, USA
“Asking why DevSecOps matters to today’s software development lifecycle is like asking if someone has enough air or whether they have adequate blood flow. DevSecOps provides the culture as well as the logical framework to reduce constraints, improve feedback, and drive innovation. Too many organizations concentrate on silos and building experts. One has to have experts in all fields but those experts must be able to interact effectively throughout your business to create value. These practices create value through opening communication between your teams and encouraging experimentation. Teams can fixate on what goes wrong, or the one individual who can fix those issues rather than encouraging the movement of work over teams, and it is that movement which creates value, the lifeblood of your business, driven by an effective DevSecOps culture.”
****
DevOps Institute Ambassador from Toronto, Canada
“Moving to a DevOps model changes the paradigm of how we secure our products. With constant changes made to production, we can no longer rely on long-running processes and gates to ensure that the products we deliver are adequately secured. Arguably, these practices were never that great in the first place. To make matters worse, the product development organization vastly outnumbers the security team. Additionally, the security team uses different tools, a different language and overall, a different set of goals from product development. The term DevSecOps calls attention to these problems and suggests the implementation of practices to overcome them. Key activities include: educating the teams in secure coding practices, automating security checks into the pipeline and modifying processes to incorporate the responses from those checks. While DevOps practices are changing how security needs to engage, technologies such as FaaS and containers change the attack vectors they are dealing with significantly too. The pipeline itself is now a target as here you can introduce vulnerabilities through the automated process. Most products incorporate open source libraries, which may themselves have vulnerabilities. There is one advantage for security teams in that at least DevOps practices enable the faster resolution of vulnerabilities. However, despite the silly name, it is easy to see why we need to call attention to DevSecOps as a practice.”
****
DevOps Institute Ambassador from Quito, Ecuador
“The single biggest DevSecOps challenge right now is to create a shared vision and objectives within DevSecOps Teams. It means: quit wasting time on “turf wars”, divest ego and open the door to mindfulness. Culture is the key for overcoming traditional barriers. System thinking means a different approach; we have to balance priorities, consider resilience, and keep in mind that cooperation has to overcome competition.”
****
DevOps Institute Ambassador from Columbus, Ohio, USA
“Cybersecurity has never been more important, more difficult, or more interesting than it is today. The COVID19 lockdown and a huge increase in work from home individuals and distributed teams has resulted in an explosion of our collective attack surfaces. There’s never been a more compelling argument for automation, and approaching security very differently than we have in the past. We need to build security in from the ground up, not try to “inspect it in” at the end of the development process. We all know that catching bugs earlier is faster and cheaper, that is no less true of security issues. Today’s development practices and tools enable automated security hygiene practices that address minimum practices for every piece of code that goes into production. There is no longer any reason not to apply software composition analysis and static code vulnerability testing to everything as part of the software pipeline. Most modern IDEs support lint testing, and enabling developers to run their code through the full suite of security testing enables the fastest feedback loop. It also typically results in better work satisfaction on the part of developers. Faster. Better. Cheaper. What could be better?!”
****
Louise Cermak
DevOps Institute Ambassador from London, UK
Other than the obvious benefit of reducing risk by bringing security earlier into the software delivery process, DevSecOps has some often overlooked benefits. The shift of accountability into the software engineering community reduces the significant manual effort associated with security governance and control mechanisms that often take place too late. Organisations often have large teams dedicated to security.
The engineering team codifies compliance, allowing continuous inspection and auditability. In regulated environments, such as financial services, the ability to demonstrate continuous compliance, afforded by the CD pipeline, means that the auditors are kept happy. This benefit is not to be underestimated, as the gathering and documenting evidence for audit is onerous.
DevSecOps also increases organisational confidence in managing risk and vulnerabilities, teams can be more proactive, identifying threats, patching, testing and deploying in minutes, not weeks. Remember the days of big programmes to manage patching tech debt? If your organisation is still doing this, make the switch to DevSecOps and start realising all the benefits.
****
Orit Golowinski
DevOps Institute Ambassador from Tel-Aviv, Israel
“Involving security in DevOps has been a challenge because traditional security methods have been unable to keep up with the agility and speed of DevOps. DevSecOps promotes a focus on automating security as well, to be able to keep up with the speed and scale achieved by traditional DevOps. The aim should be complete automation of security controls, where the controls can be deployed and managed without manual interference. It is important to implement automatic security in a way that does not hinder DevOps’ agility in any way, which can cause friction. Practicing secure DevOps means that organizations have to develop expertise and processes to best discover, protect against, and find solutions to threats and risks, preferably ahead of time .
DevSecOps is very powerful as it introduces security as part of the development lifecycle, it is no longer something to deal with after the fact, but rather an integral part of the code and the responsibility for delivering secure software falls on the entire team and not by another secluded group. DevSecOps promotes the inclusion and collaboration of the security team in the development process.
****
Andre Almar
DevOps Institute Ambassador from Belo Horizonte, Brazil
Security is often thought of as a thing to be implemented only after the development of your software or service. DevSecOps brings security “to the left” meaning that we start thinking about security from the start. This is extremely important because it introduces in developers minds the importance of producing secure code. Security becomes a shared responsibility integrated from end to end inside your DevOps initiative.”
****
Simone Jo Moore
DevOps Institute Ambassador from Occitanie, France
“Security is not an IT decision, it is a business decision. It is the business that decides what it needs to protect based on their governance requirements and policies. Yet it is to IT we turn for the technology advice, guidance and actions to support our need to protect our information and knowledge. And additionally to serve our need to provide fast data flows to those that need it, when they need it so our business can stay viable and thrive in a digital world.
It’s important to have a cross-organisation approach to security. The advantage of DevSecOps is it incorporates the understanding that business outcomes are directly impacted by the quality of security practices. It increases the awareness, understanding and embeds the security practices within current and changing technology so they are an inherent part of the protection and provision of information and knowledge — the lifeblood of any organisation.
DevSecOps becomes even more powerful when combined with other security practices found in Governance and ITSM frameworks such as COBIT ® and Resilia ® . This will take security practices beyond just compliance-driven focus to embed the right decisions and response behaviours in the face of cyber risks within the people, regardless of their role or seniority. Doing this is a far more cohesive organisation-wide security strategy.”
****
DevOps Institute New Zealand Chapter Lead and Ambassador from New Zealand
“From a DevOps Leader perspective, two things are grabbing our attention at present.
- Remote working due to COVID-19 has resulted in more people working from home which has led to an increase in cyber attacks and exploitation of services in less secure contexts.
- The increasing demand for contactless services has accelerated a number of digital initiatives that need to be released to market in record times.
With these items in mind, DevSecOps needs to be reframed into SecDevOps. We need to shift security practices left before Dev and Ops so that we can build and deploy secure code at pace to keep up with business demand. Organisations can no longer afford to have security be the ambulance at the bottom of the cliff. Our focus should be on left shifting security to a point where asking if our code is secure becomes a moot point.”
Originally published at https://devopsinstitute.com on October 2, 2020.
