Our previous blog in this current series 'Demystifying DevSecOps' will have hopefully given you some critical thoughts and more understanding surrounding Development, Security and Operations (DevSecOps).
After learning more about demystifying DevSecOps, this blog covers Savanti's view on how best to enable a successful DevSecOps programme.
As we already know, DevSecOps relies heavily on people and processes, and although technology is also important, at Savanti we believe that people and processes are the cornerstones for a successful DevSecOps programme.
One of Savanti's client organisations, for example, may be using the best tools on the market, but if these tools are not properly planned and implemented to consider the wider context of the company environment, they will more likely block the business from moving forwards, creating a barrier between the security team and the rest of the business.
“The Security team should be seen as an enabler rather than a blocker, create guardrails not gates”.
Communication, collaboration, and training are the key concepts in breaking down the information silos and sharing the security responsibility.
Choose security champions
A great way to do this is to create a security champions programme, these champions don’t need to be security specialists - it's not their job after all - they will just act as a point of contact between their teams and security.
Having periodic meetings with the champions in an informal setup and using these meetings to relay security changes that are happening in the company which may affect their teams, helps greatly.
Talk broadly about security and incentivise the attendees to bring their own security-related topics and challenges and listen to their feedback on the current security controls, after all, these employees are affected by these controls every day.
Join forces
A great way to increase employee collaboration is to schedule a day for security exercises like a CTF (Capture the Flag) event, where teams compete between themselves to discover hidden flags throughout a vulnerable application.
Training
Training needs to be something that is targeted to the developer’s current context and not just general security training as a tick box exercise for compliance. Having a good training partner that brings the best and realistic training experiences into the company is always good, training scenarios that help individuals deal with simulating real-life situations.
Take care of processes
You must define a clear process on what your SSDLC (Secure Software Development Life Cycle) will look like, since its design to its continuous monitoring in production.
You should start by defining your application security requirements with the assistance of threat modelling and assign a risk score, based on functionality, type of data handled, exposure and business criticality. You will then use this risk score to set-up the thresholds for your security tooling, an application with a higher risk score will have a lower security threshold. Having the risk score mapped to a threshold will allow your security controls to evolve as the risk score changes. As the application gets deployed to a production environment you should also define a security patch management process, taking into consideration the application risk score and its SLAs, as this will help you decide how to prioritise the patches.
The DevSecOps challenge
One of the challenges when starting with DevSecOps is enabling too many tools at once. Start slow and gradually increase the number of tools that you run on the pipeline. Some of the tools will require that you spend time fine-tuning them to your environment, identify the gaps in your development pipeline and prioritise the deployment of these tools based on that assessment. Also, when deploying your security tooling, don’t immediately start blocking the pipelines, deploy them in alert mode, give the developers some time to understand and get used to the controls and agree on a date when the tools will start to enforce the defined controls.
At Savanti we understand that it is not always easy to get DevSecOps right, so that’s why we've created a DevSecOps Maturity Model framework to help assess your secure software development lifecycle maturity, identify gaps and recommend improvements.
Savanti have a wealth of experience in DevSecOps functions across lots of organisations with the experience to deliver a great security capability. We’d be happy to support you on your cyber security journey, please get in touch – info@savanti.co.uk or visit the chat function on our website: www.savanti.co.uk