Getting Started with SecDevOps: The What, The How, and the Why
Here’s the problem. The world is full of bad people. The world is also full of bad (let’s call it imperfect) security. Put those two facts together and you quickly realize why a computing device gets attacked, on average, every 39 seconds . In the time it takes you to skip yet another YouTube ad, or put on a pair of socks in the morning, another piece of code is exploited. It’s because people and computers are imperfect. But that’s ok, because…
Here’s the good news. The world is also full of good people. You’re here, presumably to read about how to get started with SecDevOps, which means you’re probably one of the good people as well. You’re in the right place. With SecDevOps, your organization can improve Application Security (AppSec) to outsmart the bad people and the world can be a slightly better place for it.
So, let’s get started.
First things first: What is SecDevOps?
If you have heard of SecDevOps, then odds are you have also heard of DevSecOps and DevOpsSec. Is this because the tech industry loves confusing people with their naming conventions? Well…yes we do (after all, why do you think Microsoft skipped Windows 9? And where did Windows Vista come from?), but that’s besides the point. There actually are important differences between the terms that need to be understood first before going further.
DevOpsSec is where most companies are nowadays. DevOpsSec is the term used for AppSec after code is already in production. This is where 90% of companies start with their security process because they’re concerned about security becoming a bottleneck in the development cycle due to security’s manual processes and inability to keep up with modern pipelines.
DevSecOps, on the other hand, focuses on the integration of the tools themselves that are used to build and secure applications into the SDLC. More traditionally, when people think about these tools, vulnerability scanners like Veracode and Contrast come to mind. However, as the DevOps toolchain has proliferated, so have those tools to secure it, such as container security tools like Aqua and Twistlock, or cloud configuration like Fugue and Sonrai.
SecDevOps is the integration of AppSec into the development process. SecDevOps is holistic and takes into account each step of the development lifecycle starting from the initial design phase all the way to after the product is out the door. Consequently, it is focused on the deployment of an application security program as part of the SDLC, not just the testing: this includes understanding what policies are applicable for each project, the controls (manual or automated) to verify them, and analytics to understand the security test results.
Think about it like cooking dinner. You need both the right tools, ingredients, and the recipe instructions in order to make a meal. The tools and ingredients (DevSecOps) are not much use without knowing the process (SecDevOps). Otherwise, you risk making a mess.
How do you get started?
Culture
SecDevOps is first and foremost a cultural transformation. Culture transformation often sounds scary to some people, but when it is a shift that is clearly in the right direction, then there’s nothing to be scared about. And the good news is that we know Development teams are great at adapting when it means delivering better features more frequently. The world needs more secure applications as they’re the foundation of our digital world. Remember all those bad people we talked about earlier? A security minded culture is a good thing.
When there is a SecDevOps culture within your organization, AppSec becomes an integrated and natural part of the development process rather than an extra step that slows down development velocity. This is an incredibly important mental shift-if security is seen as an extra chore to accomplish, shortcuts get taken and the bad guys win. That’s why SecDevOps is so important.
Policies
After you understand what SecDevOps is, you have to have a way to implement it-and that’s achieved through policies. Most people just think about compliance when the they think of policy but, really, they are a reflection of how a company’s risk profile aligns with its broader goals. What is your organization’s risk tolerance? How do you mitigate it? How do you control for it? These are all things that are codified in policy and shape how you execute your SecDevOps program. Policies give the development and security teams a framework and context to operate within for each individual project and serve as the backbone of a good SecDevOps program.
People
Like the name suggests, at its core, SecDevOps is about an integration not just of the processes, but the teams that are responsible for creating, delivering and securing code.
Application Security Managers spend a lot of time on manual grunt work that keeps them from having the time to be a strategic partner of DevOps in the absence of SecDevOps,. By giving them centralized governance of their AppSec program, SecDevOps frees them up to focus on being a security advisor, not just gatekeeper — whether proactively through participating in design sessions and code reviews, or when issues do arise, giving them the information they need to work with Development to resolve in a timely manner that meets both teams’ goals.
Program Managers are often operating blind when it comes to understanding the Application Security implications to their projects, creating project delivery risk — both on the timeline and budget. While it may sound paradoxical, centralizing governance and administration of Application Security through SecDevOps decentralizes the management of it, putting day-to-day ownership of it in the hands of PMs so they can make informed decisions without having to become AppSec experts and enable their team to deliver quality code, with security as part of the definition of quality.
Developers, Architects, and Ops are the people on the front lines executing the policies. So, you want to make it as easy as possible for them to do so. This means integrating into their existing workflows, whether it is their ticketing system, IDE, pull request, or build tools. Additionally, make sure they are enabled to be part of the process in a bi-directional manner so you can get feedback on the efficacy of the policies and whether or not they’ve been implemented.
Why does it matter?
While SecDevOps is an ultimate state in the full integration of Application Security processes into the SDLC, it is not a utopian vision. Rather, it is a practical approach that a team of any size can get started on today to make sure they reap the benefits of better integrated application security. If you’d like to better understand how your team or organization can get started, grab a virtual coffee with one of Wabbi’s SecDevOps advisors.
Originally published at https://wabbisoft.com on January 15, 2020.
