DevOps is a mindset as well as a business tactic. It’s a cultural shift that merges operations with development and employs a linked toolchain to create change. In turn, DevSecOps seeks to merge security into DevOps. This can be helpful for a business seeking both rapid and secure growth.

Transforming your DevOps to DevSecOps can be challenging. However, there are ways of making this efficient, smooth and mostly painless.

The DevOps-to-DevSecOps Shift

Keep in mind that security, just like DevOps, is always evolving. It should be treated as an overall need in app development. Here are some key steps that we have seen clients use in order to embed security into their DevOps practices well.

Use the Right Approach

While most entities today use DevOps in some shape or form, adding security into the mix remains a challenge. Transforming DevOps into DevSecOps is an ongoing process. As DevSecOps practices mature, the related tooling, governance processes, developer awareness, knowledge and training need to be updated often. This requires a programmatic approach to ensure people keep learning throughout the process.

Develop a Framework Tailored for DevSecOps

A security framework tailored to DevSecOps is key in order to have effective governance. The framework should define the security tasks and actions performed across the ongoing integration/continuous development (CI/CD) pipeline. In turn, each of those tasks should have a defined key performance indicator (KPI) or metric, as well as a risk threshold that determines the application code progression in the pipeline.

The KPIs and the type of tasks may vary depending on the app (or microservice) business impact analysis rating. Security teams can choose to use a minimum baseline applied across all code and a more stringent standard on top of that for critical apps. This provides developers with transparency regarding governance requirements and helps them to plan and deliver smoothly.

Culture Change

When DevSecOps solutions run properly, developers can perform all the required tasks and actions. Changing culture means not forgetting the human element here.

The developers will not only be in charge of running the security tasks (both automated and manual) but also resolving any problems. They’ll need a baseline knowledge of security and the skills to be able to develop and implement it. Developers’ skills and knowledge will vary in a large team.

More importantly, you should encourage a mindset change that embraces security completely. This is key to cutting down on alert fatigue and limiting disruption to the CI/CD pipeline. One of the ways of achieving this, along with training, is to find and promote ‘security champions’ within the developer team. These champions will become the ‘go-to’ people for all things security. They should also encourage a mindset change among developers over a period of time.

Establish a DevSecOps Center of Excellence

To support a smooth transition to DevSecOps, create a center of excellence. This is a central, cross-functional team that does research, develops best practices and automates manual tasks.

Clients who have already set up a center of excellence as part of a DevOps framework should extend it to include security. One of the key objectives for this team is to develop templates for security components and tasks to ensure repeatability. They’ll also help fine-tune tooling configurations to reduce false positives.

With a central team, it’s more likely that your process for reducing risk or running a task will be consistent across the business. A DevSecOps center of excellence will also speed up the adoption of security by the business overall.

Automate and Integrate Security Governance

You may know about the ‘shift left’ practice in DevSecOps. It helps improve quality and security by moving testing earlier in the software development life cycle. As more and more DevSecOps practices are automated, it becomes harder to capture the metrics required (as per the defined framework) to demonstrate that security and compliance requirements are met.

Therefore, a DevSecOps framework should include a way to track governance throughout the life cycle of the software delivery process. Automating governance requires careful calibration of the underlying tools and platform. They need to be in line with the metrics and thresholds defined per the security gate. Businesses can benefit from this because it enables faster software delivery and increased confidence among personnel.

Where to Start With DevSecOps

Does switching from DevOps to DevSecOps sound like a good fit for your team? If so, start with a review of your security in relation to DevOps practices. The objective of this review should be to gain knowledge of current functions, tooling and areas for improvement in your governance processes.

The review should measure against your desired state of DevSecOps. To do this, first formulate a program with a set of tasks aimed at delivering specific functions. Meanwhile, consider carefully how you can champion cultural change long-term. Lastly, define metrics and KPIs so you can monitor progress and apply lessons learned.

In this way, your transition from DevOps to DevSecOps will be an ordered and efficient step on your way to long-term goals.

Learn more

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today