Joe Capote

It should come as no surprise (or maybe it does!) to learn I’m really excited about DevSecOps and the potential role it plays in development application.

DevOps combines engineering and operations as part of the overall development lifecycle. It’s goal is to shortening the development timeline and increase the dependability of releases.

DevSecOps seeks to insert security in the DevOps pipeline without slowing it down. With faster release cycles, security operations can quickly slow down the release pipeline. In order to maintain release speed and consistency, DevSecOps can be integrated into the DevOps process to reduce slowdowns (manual process, bottlenecks, etc).

DevSecOps requires a shift from from just coding to creating a ‘security as code’ culture. By understanding where the application is vulnerable, better understanding of how it should be protected is achieved. Digital security platforms and production analytics can be used to diagnose an applications vulnerabilities (even third party integrations) while allowing for proper prioritization of vulnerability remediation.

Ultimately, ‘security as code’ culture is a concept where everyone in the development organization responsible for the application’s security. This may require a shift in your organizations current culture. Buy-in from key stakeholders, proper implementation of processes, increased automation and expanding testing scope are just a few things that may be required to transition your organization’s culture.

What are some high-level ways CTO’s and development management can begin a movement to a security as code culture?

• Steering Committees. This is an old school option. Create a team that is focused on changing the culture and implementing DevSecOps. Leaders can gather requirements, discuss automation strategies and vulnerability assessment tools and develop a roadmap for implementation and adoption.
• Training. DevSecOps goals and scope will differ between environments. Developers can be giving non-traditional skills like penetration and vulnerability testing. Cross training developers within the security team can help foster collaborating between development and security moving forward.
• Implement Best Practices. Best practices as a discipline and enforce them. Code analysis, change management, and ongoing security training for developers are a few. Routine cadence between security and development leaders in order to discuss best practices, and share ideas for improvement.
• Organizational Alignment. Depending on the lay of the land in your organization, this may make sense if security and development functions reside in the office of the CTO. If not, foster executive buy in between CISO and CTO. This can help ensure collaboration, communication and avoid the dreaded “us vs. them” scenario we have seen from application development and support teams in the past.

Creating a security as a code culture will not be easy. However, given the recent visible breaches as a result of vulnerabilities in the application, DevSecOps is necessary and not going anywhere. Moving towards a path of integrated DevSecOps with a culture ‘security as code’ will help avoid the loss of customers and revenue loss as a result of cybercrime.