To DevSecOps or not to DevSecOps?

Would your organization benefit from introducing DevSecOps? Dan Cornell, CTO of application security company Denim Group, believes that most organizations would. With one caveat, though: they must realize that the transition is, first and foremost, cultural rather than technological.

DevSecOps benefits

Breaking down barriers between DevOps teams and security teams helps to align incentives and accelerate the rate at which organizations can innovate safely, he says, but organizations focused on adopting new technologies without also committing to material cultural changes will find that their DevSecOps initiatives tend to stall.

Changes and challenges

“Security teams must commit to cultural changes to be successful in a DevSecOps world – they need to gain a better understanding of the business environment impacting their organizations and re-imagine their own role as risk management consultants supporting aggressive innovation. Governance and compliance will still remain significant drivers in the role, but the primary focus has to be on support for their DevOps teams,” he told Help Net Security.

They must take care to avoid being perceived as out of touch with the broader strategic concerns of the business and being marginalized.

“By developing a broader understanding of the strategic competitive environment for their firm, CISOs can expand their perception of the true risks to the business,” Cornell pointed out.

“Information security risks are significant, but the implications of ascendant competitors or changes to the marketplace have the potential to be much more impactful in that they can result in loss of market share, loss of profits, and ultimately bring into question the survival of the business. Communicating information security concerns in the context of this broader understanding can help these CISOs establish and expand influence with critical stakeholders.”

The right tools

It is also crucial for them to learn their team’s DevOps tool stack and for the organization to choose the right tools for supporting DevSecOps initiatives.

“What tools has the DevOps team adopted and why? There are several classes of tools that are common in CI/CD pipelines, like using Jenkins to do CI/CD orchestration or Puppet or Chef to handle configuration management. Often security professionals are not familiar with these types of tools but, to be a true contributing team member in a DevSecOps environment – they must at least have some familiarity with why and how the tools are used,” he advised.

Tools supporting DevSecOps initiatives should allow teams to move faster and with more confidence while freeing up resources for higher-value tasks.

Tools that add additional manual steps for team members or introduce uncertainty should be a no-no. Tools that further collaboration and facilitate the breakdown of barriers between organizational silos should be a must.

“Here’s an example: if SAST/DAST/IAST/SCA is being run in a CI/CD pipeline, the right tool will run in an acceptable amount of time (“acceptable” being dependent on the organization and team), will provide quality results (few/no false positives), and will provide valuable results that developers agree are worth fixing,” he explained.

He also says that automation is critical for successful DevSecOps initiatives.

“It allows teams to go faster with the comfort that bugs, vulnerabilities, and other errors will be quickly detected so they can be addressed. In addition, it frees up team members’ time to focus on other concerns that cannot be addressed with automation. Teams failing to drive sufficient automation will find that errors will lead to failures that erodes the team’s confidence in moving quickly,” he concluded.