DevOps is a mindset as well as a business tactic. It’s a cultural shift that merges operations with development and employs a linked toolchain to create change. In turn, DevSecOps seeks to merge security into DevOps. This can be helpful for a business seeking both rapid and secure growth.

Transforming your DevOps to DevSecOps can be challenging. However, there are ways of making this efficient, smooth and mostly painless.

The DevOps-to-DevSecOps Shift

Keep in mind that security, just like DevOps, is always evolving. It should be treated as an overall need in app development. Here are some key steps that we have seen clients use in order to embed security into their DevOps practices well.

Use the Right Approach

While most entities today use DevOps in some shape or form, adding security into the mix remains a challenge. Transforming DevOps into DevSecOps is an ongoing process. As DevSecOps practices mature, the related tooling, governance processes, developer awareness, knowledge and training need to be updated often. This requires a programmatic approach to ensure people keep learning throughout the process.

Develop a Framework Tailored for DevSecOps

A security framework tailored to DevSecOps is key in order to have effective governance. The framework should define the security tasks and actions performed across the ongoing integration/continuous development (CI/CD) pipeline. In turn, each of those tasks should have a defined key performance indicator (KPI) or metric, as well as a risk threshold that determines the application code progression in the pipeline.

The KPIs and the type of tasks may vary depending on the app (or microservice) business impact analysis rating. Security teams can choose to use a minimum baseline applied across all code and a more stringent standard on top of that for critical apps. This provides developers with transparency regarding governance requirements and helps them to plan and deliver smoothly.

Culture Change

When DevSecOps solutions run properly, developers can perform all the required tasks and actions. Changing culture means not forgetting the human element here.

The developers will not only be in charge of running the security tasks (both automated and manual) but also resolving any problems. They’ll need a baseline knowledge of security and the skills to be able to develop and implement it. Developers’ skills and knowledge will vary in a large team.

More importantly, you should encourage a mindset change that embraces security completely. This is key to cutting down on alert fatigue and limiting disruption to the CI/CD pipeline. One of the ways of achieving this, along with training, is to find and promote ‘security champions’ within the developer team. These champions will become the ‘go-to’ people for all things security. They should also encourage a mindset change among developers over a period of time.

Establish a DevSecOps Center of Excellence

To support a smooth transition to DevSecOps, create a center of excellence. This is a central, cross-functional team that does research, develops best practices and automates manual tasks.

Clients who have already set up a center of excellence as part of a DevOps framework should extend it to include security. One of the key objectives for this team is to develop templates for security components and tasks to ensure repeatability. They’ll also help fine-tune tooling configurations to reduce false positives.

With a central team, it’s more likely that your process for reducing risk or running a task will be consistent across the business. A DevSecOps center of excellence will also speed up the adoption of security by the business overall.

Automate and Integrate Security Governance

You may know about the ‘shift left’ practice in DevSecOps. It helps improve quality and security by moving testing earlier in the software development life cycle. As more and more DevSecOps practices are automated, it becomes harder to capture the metrics required (as per the defined framework) to demonstrate that security and compliance requirements are met.

Therefore, a DevSecOps framework should include a way to track governance throughout the life cycle of the software delivery process. Automating governance requires careful calibration of the underlying tools and platform. They need to be in line with the metrics and thresholds defined per the security gate. Businesses can benefit from this because it enables faster software delivery and increased confidence among personnel.

Where to Start With DevSecOps

Does switching from DevOps to DevSecOps sound like a good fit for your team? If so, start with a review of your security in relation to DevOps practices. The objective of this review should be to gain knowledge of current functions, tooling and areas for improvement in your governance processes.

The review should measure against your desired state of DevSecOps. To do this, first formulate a program with a set of tasks aimed at delivering specific functions. Meanwhile, consider carefully how you can champion cultural change long-term. Lastly, define metrics and KPIs so you can monitor progress and apply lessons learned.

In this way, your transition from DevOps to DevSecOps will be an ordered and efficient step on your way to long-term goals.

Learn more

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…