As new security threats continue to emerge, it can be a challenge to stay on top. In an agile environment, bureaucratic, “security management by spreadsheet” is ultimately doomed to failure. A more flexible and collaborative approach is needed. Enter DevSecOps . . .
What is DevSecOps?
DevSecOps seeks to achieve better results through greater operational focus and communication around a framework of security principles. It represents a certain mentality, whose philosophy involves building security into applications rather than applying it after the fact and the belief that security principles and communication should come into play, every step of the way when building applications. The philosophy also seeks to ” operate and contribute value with less friction.”
The core belief is that “Security is everyone’s responsibility” and the goal of DevSecOps is to bring individuals of all abilities to a high level of proficiency in security in a short period of time. The DevSecOps manifesto involves principles such as building a platform of least-privilege access, focusing on science and understanding rather than fear, uncertainty and doubt (FUD). It also promotes collaboration and business-driven security services, team testing to analyse potential exploits, continuous security monitoring and sharing intelligence.
The DevSecOps community encourages direct action to uncover potential security issues. The approach is to think like the enemy and use similar tactics such as penetration testing to pinpoint exploitable vulnerabilities, which need remediation.
The Devsecops Mindset
The DevSecOps approach differs from traditional bureaucratic methods which involve rules of governance handed down from a central authority and can be inflexible and ‘one size fits all’. Bureaucracy can actually hinder security measures as they can lead to blindly following a standard approach which focuses on a hypothetical list of threats versus actual, real-world issues.
The following excerpt from the DevSecOps website describes the mindset and lays out the core principles and philosophy of the community:
“The mindset established by DevSecOps lends itself to a cooperative system whereby business operators are supplied with tools and processes that help with security decision making along with security staff that enable use and tuning for these tools. In this case, security engineers more closely align with the DevSecOps manifesto, which speaks to the value that a security practitioner must supply as well as the changes they must make to enable security value to be supplied to a larger ecosystem. In this way, the value that DevSecOps engineers supply to the system is an ability to continuously monitor, attack and determine defects before non-cooperative attackers might discover them. And because of these changes DevSecOps engineers are hugely useful as competitors to external attackers. This allows for all, including security staff, within the business ecosystem to contribute to iterative value creation without the additional pain of attempting to acquire severely scarce security practitioners to be added to DevOps teams.”
Another post on the DevSecOps website encourages security teams to “eat your own dog food”. In other words, utilise the same security controls and processes that are being built into the software code that is being produced so that the challenges and pain points, as well as the benefits, can be experienced and fully understood.
How Can You Implement DevSecOps?
To adopt the DevSecOps approach to improving security management, the initial actions you should consider, are to implement measures that increase the focus on collaboration (both within and between teams), automation and building security as you go. By adopting these principles, you will have taken a positive first step to implement the DevSecOps mindset. As it is a cultural change rather than a set of rules or a tick-list, it will require gradual changes as the various concepts are applied within the organisation and existing frameworks are replaced with new practices. Good luck with the journey.
If you are serious about implementing DevSecOps in your organisation and would like to discuss the approach and how it could work in your environment, please feel free to contact KRYPSYS on [email protected] or call 0845 474 3031