The Journey from DevOps and Application Security to DevSecOps

Jul 28, 2020

Author: Dr. Wendy Ng

The success of DevOps leveraging agile to help organisations to meet extradited timelines of modern application development has not gone unnoticed from the application security standpoint. Software is the core workhorse of digital services, consumed through distributed networks. This massively increases an organisation’s attack surface, and there is greater emphasis on quality code, from functional and security perspectives.

Agility is dependent on small and regular code work units; modern application security tools need to adapt. Fortunately, boffins from application security vendors have delivered a suite of technical solutions. However, identifying the tools is only the foundation - to be successful they need to be supported by education, collaboration, cultural, process and organisational changes to support transition to lessen the friction from security in software development.

In addition to agility and quality improvements, DevSecOps is ultimately about trust and responsibility. It is simply not possible to scale, nor efficient to rely completely on external enforcement for aspects of quality code development on contemporary timescales. It would be far more efficient to instil software developers with the knowledge and mindset, and entrust them, with guardrails, to do the right things even when there are other competing pressures. Responsibility and empowerment will stem from trust.

A good analogy is driving. Drivers are taught how drive safely, initially guided by an instructor. Once qualified and licensed, drivers are entrusted to do the right things on public roads. There are still guardrails of course, although, the number of traffic offences are significantly lower than the number of journeys. Imagine a situation whereby drivers are only allowed to venture out under the guidance of an instructor. It would simply be impractical. Fundamentally, DevSecOps is dependent on self-sufficient operational units, and of collective responsibility and a collaborative approach in the presence of guardrails.

Recommendations for the move to DevSecOps:

1. Breakdown silos

Historically, development, operations and security reside in different teams. The core principles of DevSecOps are collaboration and self-sufficiency. From the product point-of-view, the same team ought to be engaged and take responsibility for the product for its entire lifecycle.

2. Select tools that meet the organisation’s needs

Whilst technology is an enabler, the tools are only the foundation. Where there’s a will there’s a way. For motivated teams, even tools which are less than ideal can be used to address team goals. However, gaps in requirements ought to be recorded so that information can be fed into the next review.

3. Winning hearts and minds

There is talent in every organisation. The difficulty is to encourage a group of curious, intelligent and independently minded individuals, exactly the folks who will bring business value and respond to change and address operational issues, to align to company goals. Proactive engagement, and the ability to gain the team’s respect and loyalty will be the ultimate enabler for the transformation journey to DevSecOps.

We will always be stronger when we work together. For those about to undertake this journey, Godspeed and drive SAFe.

Dr. Wendy Ng is a DevSecOps Security Managing Advisor, who’s honed her technical consulting skills through a number of industries: aerospace, healthcare, fintech, telco, transport logistics, and critical national infrastructure. Wendy completed her doctoral studies at the University of Oxford and has contributed to the scientific community through peer-reviewed publications. She has been sharing her experience and expertise, addressing key challenges, in her blogs since 2016.