DevOps is a mindset as well as a business tactic. It’s a cultural shift that merges operations with development and employs a linked toolchain to create change. In turn, DevSecOps seeks to merge security into DevOps. This can be helpful for a business seeking both rapid and secure growth.

Transforming your DevOps to DevSecOps can be challenging. However, there are ways of making this efficient, smooth and mostly painless.

The DevOps-to-DevSecOps Shift

Keep in mind that security, just like DevOps, is always evolving. It should be treated as an overall need in app development. Here are some key steps that we have seen clients use in order to embed security into their DevOps practices well.

Use the Right Approach

While most entities today use DevOps in some shape or form, adding security into the mix remains a challenge. Transforming DevOps into DevSecOps is an ongoing process. As DevSecOps practices mature, the related tooling, governance processes, developer awareness, knowledge and training need to be updated often. This requires a programmatic approach to ensure people keep learning throughout the process.

Develop a Framework Tailored for DevSecOps

A security framework tailored to DevSecOps is key in order to have effective governance. The framework should define the security tasks and actions performed across the ongoing integration/continuous development (CI/CD) pipeline. In turn, each of those tasks should have a defined key performance indicator (KPI) or metric, as well as a risk threshold that determines the application code progression in the pipeline.

The KPIs and the type of tasks may vary depending on the app (or microservice) business impact analysis rating. Security teams can choose to use a minimum baseline applied across all code and a more stringent standard on top of that for critical apps. This provides developers with transparency regarding governance requirements and helps them to plan and deliver smoothly.

Culture Change

When DevSecOps solutions run properly, developers can perform all the required tasks and actions. Changing culture means not forgetting the human element here.

The developers will not only be in charge of running the security tasks (both automated and manual) but also resolving any problems. They’ll need a baseline knowledge of security and the skills to be able to develop and implement it. Developers’ skills and knowledge will vary in a large team.

More importantly, you should encourage a mindset change that embraces security completely. This is key to cutting down on alert fatigue and limiting disruption to the CI/CD pipeline. One of the ways of achieving this, along with training, is to find and promote ‘security champions’ within the developer team. These champions will become the ‘go-to’ people for all things security. They should also encourage a mindset change among developers over a period of time.

Establish a DevSecOps Center of Excellence

To support a smooth transition to DevSecOps, create a center of excellence. This is a central, cross-functional team that does research, develops best practices and automates manual tasks.

Clients who have already set up a center of excellence as part of a DevOps framework should extend it to include security. One of the key objectives for this team is to develop templates for security components and tasks to ensure repeatability. They’ll also help fine-tune tooling configurations to reduce false positives.

With a central team, it’s more likely that your process for reducing risk or running a task will be consistent across the business. A DevSecOps center of excellence will also speed up the adoption of security by the business overall.

Automate and Integrate Security Governance

You may know about the ‘shift left’ practice in DevSecOps. It helps improve quality and security by moving testing earlier in the software development life cycle. As more and more DevSecOps practices are automated, it becomes harder to capture the metrics required (as per the defined framework) to demonstrate that security and compliance requirements are met.

Therefore, a DevSecOps framework should include a way to track governance throughout the life cycle of the software delivery process. Automating governance requires careful calibration of the underlying tools and platform. They need to be in line with the metrics and thresholds defined per the security gate. Businesses can benefit from this because it enables faster software delivery and increased confidence among personnel.

Where to Start With DevSecOps

Does switching from DevOps to DevSecOps sound like a good fit for your team? If so, start with a review of your security in relation to DevOps practices. The objective of this review should be to gain knowledge of current functions, tooling and areas for improvement in your governance processes.

The review should measure against your desired state of DevSecOps. To do this, first formulate a program with a set of tasks aimed at delivering specific functions. Meanwhile, consider carefully how you can champion cultural change long-term. Lastly, define metrics and KPIs so you can monitor progress and apply lessons learned.

In this way, your transition from DevOps to DevSecOps will be an ordered and efficient step on your way to long-term goals.

Learn more

more from Application Security

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…