DevOps is a mindset as well as a business tactic. It’s a cultural shift that merges operations with development and employs a linked toolchain to create change. In turn, DevSecOps seeks to merge security into DevOps. This can be helpful for a business seeking both rapid and secure growth.

Transforming your DevOps to DevSecOps can be challenging. However, there are ways of making this efficient, smooth and mostly painless.

The DevOps-to-DevSecOps Shift

Keep in mind that security, just like DevOps, is always evolving. It should be treated as an overall need in app development. Here are some key steps that we have seen clients use in order to embed security into their DevOps practices well.

Use the Right Approach

While most entities today use DevOps in some shape or form, adding security into the mix remains a challenge. Transforming DevOps into DevSecOps is an ongoing process. As DevSecOps practices mature, the related tooling, governance processes, developer awareness, knowledge and training need to be updated often. This requires a programmatic approach to ensure people keep learning throughout the process.

Develop a Framework Tailored for DevSecOps

A security framework tailored to DevSecOps is key in order to have effective governance. The framework should define the security tasks and actions performed across the ongoing integration/continuous development (CI/CD) pipeline. In turn, each of those tasks should have a defined key performance indicator (KPI) or metric, as well as a risk threshold that determines the application code progression in the pipeline.

The KPIs and the type of tasks may vary depending on the app (or microservice) business impact analysis rating. Security teams can choose to use a minimum baseline applied across all code and a more stringent standard on top of that for critical apps. This provides developers with transparency regarding governance requirements and helps them to plan and deliver smoothly.

Culture Change

When DevSecOps solutions run properly, developers can perform all the required tasks and actions. Changing culture means not forgetting the human element here.

The developers will not only be in charge of running the security tasks (both automated and manual) but also resolving any problems. They’ll need a baseline knowledge of security and the skills to be able to develop and implement it. Developers’ skills and knowledge will vary in a large team.

More importantly, you should encourage a mindset change that embraces security completely. This is key to cutting down on alert fatigue and limiting disruption to the CI/CD pipeline. One of the ways of achieving this, along with training, is to find and promote ‘security champions’ within the developer team. These champions will become the ‘go-to’ people for all things security. They should also encourage a mindset change among developers over a period of time.

Establish a DevSecOps Center of Excellence

To support a smooth transition to DevSecOps, create a center of excellence. This is a central, cross-functional team that does research, develops best practices and automates manual tasks.

Clients who have already set up a center of excellence as part of a DevOps framework should extend it to include security. One of the key objectives for this team is to develop templates for security components and tasks to ensure repeatability. They’ll also help fine-tune tooling configurations to reduce false positives.

With a central team, it’s more likely that your process for reducing risk or running a task will be consistent across the business. A DevSecOps center of excellence will also speed up the adoption of security by the business overall.

Automate and Integrate Security Governance

You may know about the ‘shift left’ practice in DevSecOps. It helps improve quality and security by moving testing earlier in the software development life cycle. As more and more DevSecOps practices are automated, it becomes harder to capture the metrics required (as per the defined framework) to demonstrate that security and compliance requirements are met.

Therefore, a DevSecOps framework should include a way to track governance throughout the life cycle of the software delivery process. Automating governance requires careful calibration of the underlying tools and platform. They need to be in line with the metrics and thresholds defined per the security gate. Businesses can benefit from this because it enables faster software delivery and increased confidence among personnel.

Where to Start With DevSecOps

Does switching from DevOps to DevSecOps sound like a good fit for your team? If so, start with a review of your security in relation to DevOps practices. The objective of this review should be to gain knowledge of current functions, tooling and areas for improvement in your governance processes.

The review should measure against your desired state of DevSecOps. To do this, first formulate a program with a set of tasks aimed at delivering specific functions. Meanwhile, consider carefully how you can champion cultural change long-term. Lastly, define metrics and KPIs so you can monitor progress and apply lessons learned.

In this way, your transition from DevOps to DevSecOps will be an ordered and efficient step on your way to long-term goals.

Learn more

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read