How to build a DevSecOps strategy

In a DevSecOps strategy, security should be a sustainable process that involves every member of a team, creating a chain, if you will, of security-conscious people. In today’s landscape, there is no other way. Threats can come from seemingly anywhere, in and outside of an organisation. They’ve also grown incredibly sophisticated, targeting areas of a system or application that no one would have thought possible in the past.

The DevSecOps Manifesto proposes a security-first and always-on approach. The methodology calls for the incorporation of protection — in various ways — at a fundamental level, directly within code. It’s a development approach that values security from the get-go and continues to focus on those safeguards throughout the scope of a project.

This approach is relatively new, meant to replace legacy operations. In the past, developers would design and build a system, putting security aside while they work. Once it was complete, they would search for vulnerabilities and problems.

Legacy infrastructure hindering digital transformation of supply chain

Struggles with the complexity of legacy systems are preventing consumer goods companies from achieving digital supply chain maturity and realising the benefits of end-to-end visibility and real-time access to data. Read here

One of the significant issues with this approach is that you cannot know if you’ve discovered everything. Plus, it’s challenging to track what’s staff already reviewed and what they didn’t. Experts recommend that DevSecOps teams should not try to eradicate weak points during development.

DevSecOps moves that responsibility up and boosts the scale, including the entire team. Everyone is now responsible for securing the system or application, from the very moment they sit down to work.

How to implement DevSecOps

While it’s certainly a viable strategy, there are a lot of unknowns about DevSecOps implementation. How do you introduce such a complex approach to your teams, and where do you start?

1. Educate team members

Claiming that security is a responsibility for everyone, implemented at the most basic levels, is one thing. Actually putting that approach into effect, and shifting that responsibility to individual team members, is entirely different. First, educate your teams about DevSecOps and security practices, and what that means to them personally. How is each developer empowered, and what is their role in beefing up security?

This concept is particularly crucial for segmented teams working on smaller pieces of code that will fit into a larger puzzle. Each wrapping or snippet must be embedded with layers of security to protect the greater project. Think of it as bubble wrapping fragile items individually before placing them into a large box for shipment. Before you do it, however, you need to be sure your team and developers understand the process.

You can stress security at every level as much as you want, but it won’t make a difference if your team members don’t know how to achieve it.

2. Give developers the lead

Almost every DevOps guide talks about implementing the practice at a cultural level, and the same is true with DevSecOps. Developers tend to be incredibly creative and talented people who take a lot of pride in what they do. Get out of their way and allow them to grow. Think of it as future-proofing your security design through a more holistic approach.

That’s precisely why the first step on this list is training and educating team members. When given a chance, they will work to further their skills and experience. They will also take everything they learn and incorporate it into the code and content they’re creating. It’s all about giving them the tools they need to succeed, which will only further improve the end product.

What to know about software development security — why it’s still so hard and how to tackle it

Rod Cope, CTO at Perforce Software, explores why software development security is such a challenge and what organisations can do to improve it. Read here

3. Conduct security assessments

Audits or assessments are a necessary evil when it comes to understanding the current state of an operation, finding potential flaws and discovering opportunities. Through a combination of internal resources and third-party experts, assessments should explore existing systems.

Where are the current strengths and weaknesses? Is a total rollback necessary? Can you implement DevSecOps strategies with the project that’s already underway?

4. Practice code-based security

Most likely, there are projects and segments already in place, and your teams created existing code with a different method. Don’t look at this as a negative or obstacle. It provides an excellent opportunity to revisit the foundations of a system to implement the protective armour we’re discussing. Security needs to be incorporated into the code, not addressed using external methods like third-party programs or extensions.

As early in the DevSecOps pipeline as possible, teams should be practicing security-conscious coding. Unless you and your staff are starting from scratch — and if you are, that’s wonderful — you’ll need to begin somewhere. Work from the bottom up, improving existing code and systems before moving on to fresh ones.

5. Don’t forget about automation

Integral to DevOps and agile methods is the practice of automating time-consuming and repetitive tasks. According to one survey, 57% of company leaders say they are implementing automation in one or more business functions.

Automation: the future, not the fear

Jens Krueger, chief technology officer, Workday, explains why a culture of inclusion, innovation and upskilling is crucial in order to reap the benefits of automation. Read here

Speeding up testing and code correction processes was a huge part of improving dated delivery models. Without doing so, these areas of development usually slowed down other parts of the pipeline. DevOps calls for automating most of this process to cut down on bottlenecks. Don’t forget that here. Automate whenever possible to keep the entire pipeline unclogged and flowing.

Development + Security = DevSecOps

Due to several factors, both internal and external, development and cyber security strategy must merge at a foundational level. Innovation, dynamic markets and greater threats all contribute to a need for improved security.

DevSecOps merely calls for placing the responsibility of security into the hands of developers. It’s a holistic approach that empowers almost everyone on the team. Hands down, it is the best way to approach security-conscious development in today’s landscape.

Kayla Matthews

Kayla Matthews, is a tech journalist and writer.