DevSecOps: An Organizational Fix for Improving Cloud Security – Friction-free
By implementing the DevSecOps culture, tools and training, you’ll be on your way to more shift left security and less organizational friction. Here’s how.
The concept of shift left security is gaining momentum and popularity across organizations that understand the need to integrate security in engineering practices. But what does the term actually mean in an enterprise’s day to day?
In a recent article on the shift left conundrum, which is tied up in the Security-DevOps dynamic and business reality, we discussed why security needs to shift left and be a part of DevOps, and the lack of the right tools for doing so. Now let’s dive into the newest function related to Security and DevOps - DevSecOps - and see how this role complements security and development needs by providing an effective organizational solution to the problem.
What Is DevSecOps?
Let’s start with a DevSecOps definition. DevSecOps is an engineering role as well as a development culture that combines three disciplines: development (Dev), security (Sec) and operations (Ops). Until recently, the more common dual role and culture that merged engineering disciplines was DevOps, combining development and operations. The growing need to shift left on security gave way to adding security to this duo, turning it into the trio: DevSecOps.
In this case, three is NOT a crowd. The goal of the DevSecOps model is to integrate security into CI/CD pipelines, development environments and cloud infrastructure to ensure that software is delivered faster, at a higher quality and (this is the new part) in a secure manner.
Organizations need DevSecOps engineers to remove the friction that traditionally has taken place over development and security processes. Before DevSecOps, Security teams would “chase after” engineering teams to resolve security issues after the fact. Also, DevOps teams, caught between security’s requirements and development pressures to deliver faster, often had to negotiate a tough path to be granted permissions to resources they felt they had a need to access. With DevSecOps, software is developed secure-first, with security processes incorporated into the software development lifecycle (SDLC) by design and as a shared responsibility among all development stakeholders.
Like in DevOps, DevSecOps boasts agility and automation, which are intended to smooth out bumps in the road. The security-focused DevOps role is designed to accelerate releases and the fixing of security flaws while making the process compatible with modern development needs, i.e ensuring development velocity is not impeded.
Who Needs DevSecOps?
Everyone. The need for DevSecOps is real. According to the 2021 Gitlab survey, “A Maturing DevSecOps Landscape,” 70% of security pros reported that their organization has already started to shift left on security. What this actually means remains to be defined by each organization as the execution of different practices and methods differs from one organization to the next. Also, although tools do exist, developers don’t always have access in their integrated development environment (IDE) to the results of some security tests and practices. This reality dilutes the main advantage of the shift left process because it prevents developers from incorporating security into development.
The Gitlab survey also shows that the question of security ownership remains open, with 28% of survey respondents claiming that everyone was responsible. This is a sure path to ensuring no one is responsible for security. While distributed security is a welcome step in the right direction, dedicated security roles are needed to drive cloud security for the organization overall and ensure its continuous improvement.
A DevSecOps professional can help fill this gap by dictating and guiding security processes in development environments, ensuring end-to-end implementation and working with DevOps to divide and assign responsibilities.
A DevSecOps professional (or culture) will be in charge of:
- Raising security awareness - Becoming the security evangelist and ensuring all developers feel they are security owners and that security is part of their role. This includes giving developers access to the tools and information they need to be able to fix security flaws as early as their IDE.
- Process design and automation - Implementing processes and tools that automatically detect, alert and remediate security flaws. These security operations need to align with DevOps culture, which is based on CI/CD and tool automation to ensure speed. Otherwise, manual and complex processes will result in many developers ignoring security requirements.
- End-to-end coverage - Finding security tools that cover the entire development stack, including multi-cloud, containers, Kubernetes, etc. Silos or blind spots will result in friction and confusion which, in turn, will turn security teams into the scapegoat for any problems that arise.
What Does It Take to Be a DevSecOps Professional?
First, to be a DevSecOps professional you need to have a remarkably broad and deep background spanning technical and organizational skills. On Linkedin we found open DevSecOps positions whose responsibilities and requirements included:
- DevOps automation and security automation experience
- Security certifications
- Cloud native security proficiency
- Compliance as code proficiency
- Knowledge of IAM, configuration and security management tools
- Working with the CISO, R&D and IT to build and implement security and auditing solutions
- Implementing security tools as part of the CI/CD and the production environment
- Experience enforcing security controls throughout the SDLC
- Modeling permissions and enforcing policies
- Monitoring and investigating security events
- Using an agile methodology
- Ability to run large-scale operations
- A good understanding of DevOps
As clear from the job description, the DevSecOps role sits at the crossroads of DevOps and Security. The DevSecOps professional is expected to have a good understanding of both domains. The role charges the individual with designing, implementing and monitoring security and compliance processes across the SDLC and production environments, all while adapting to agile work processes.
De facto, the role of DevSecOps is to implement processes and tools that will reduce cloud security threats. These include implementing practices such as:
- Running test scans across code (SAST), applications (DAST) and containers, to identify vulnerabilities
- Threat modeling
- Security design reviews
- Code analysis and review
- Securing the CI/CD pipeline
- Managing users, permissions and policies
- Vulnerability management
- Managing compliance requirements
- And more.
And then there’s the DevSecOps mindset. We spoke with Idan Pinto, DevSecOps engineer at Fiverr, about his role. Idan has been in DevSecOps for a little more than a year, after stints in security operations, and system integrations and information technology, with previous employers. Said Idan, “Above all, DevSecOps are developer enablers. We’re here to help development run faster. We need to help them understand the security guidelines, apply them to their work and go.”
In addition to working with the technology, DevSecOps personnel need acuity in working with engineers. According to Idan, DevSecOps are expected to lead cross-departmental projects and processes, some of which might be met with resistance. He added that DevSecOps is not just about having the technological and security know-how, it’s about evangelizing security to engineers and getting them on board. Without gaining their willingness to adhere to security best practices, Idan explained, DevSecOps won’t be able to meet their KPIs.
DevSecOps: Adding Security to Development Processes
Now the million-dollar question: How does an organization add security to its development organization and processes? Let’s look at how one company has done it.
Case Study: Building a DevSecOps Culture Via Transition to DevSecOps
As good a solution as DevSecOps is, implementing it requires buy-in from across the organization. As Idan explained, while the DevSecOps professional needs to have a “development enabler” mindset, their job is dependent on getting the necessary resources and the attention span of stakeholders.
Here are three steps an organization needs to take to enable DevSecOps:
Step 1: A Mindset Shift
Mindset keeps coming up in this article, for good reason: It is one of the most important aspects of implementing DevSecOps. For DevSecOps to succeed, “security” must become second nature to an organization’s developers, like “automation” and “agility” have in the past few years.
The new mindset moves security to become an integral part of the development process. This means getting the security professional involved in development scrum teams and design meetings while giving developers the tools that will help them find and address security flaws while they code. In other words, security becomes one of the code’s building blocks, just like testing. This way, when the code is ready to be deployed, there are no security surprises and no new security requirements, as they were addressed earlier.
Implementing such a mindset takes place through good communication. This starts with DevSecOps “evangelism” – ongoing dialog with DevOps, developers, architects, IT and management about the importance of security and how to implement security processes. It’s important for the individual in the DevSecOps role to come prepared with answers to difficult questions and be patient when explaining and repeating these explanations, even when things may (to you) seem obvious.
Communication continues with establishing open lines for making security decisions, allocating security responsibilities (a clear definition of who will be doing what), answering questions, providing support and garnering feedback. Such ongoing communication enables ongoing optimization of processes, which ensure successful implementation of cloud security.
Despite being characterized as a “soft” skill, culture is not “nice to have,” rather, a necessity. According to the 2020 Sonatype DevSecOps community survey, developers are happier when there are advanced DevOps practices in their organization and are 3.6 times more likely to pay attention to security as a result!
In addition, developers are better equipped to deal with security incidents in such organizations. According to the survey, they use tooling and information, instead of rumors, to react. In other words, culture has a direct impact on an enterprise’s security posture.
Step 2: The Right Tools
“Mens sana in corpore sano” or “Healthy mind in a healthy body” is often used to describe human needs for both mental and physical well being. Applying the metaphor: the shift in mindset drives security, effective tools let developers carry it out.
DevSecOps tools should be able to address an organization’s security requirements while being true to DevOps culture. This means they should enable:
- Automation - As discussed above, capabilities for automated detection of all cloud identities, human and service, and alerts and remediation of related security flaws and risk. For example, tools that implement automated security testing, static code analyses or policy engines. Another valuable automation – and dev-centric – capability, is Just in Time access, which enables developers to get speedy approval for as-needed access.
- Visibility - Capabilities for monitoring security actions over time while providing explanations and alerts and enabling investigation. For example, CIEM solutions that integrate with CI/CD pipelines and automatically enforce guardrails - for permissions management monitoring.
Visibility has two roles in this sense. First, providing information and clarity about security flaws and how to remediate them. Second, helping bridge the gap between engineering and security by creating information transparency so each side can learn and explain to the other the required steps to improve security posture.
- Compliance enforcement - The ability to audit controls according to regulatory compliance standards and security best practices, identify flaws and remediate them. CSPM tools that use cloud configuration data for their analysis provide the DevSecOps with an answer to this compliance play.
- Ease of use - Tools need to integrate into the SDLC or CI/CD, and empower developers, DevOps, scrum masters and other stakeholders to easily add security to development sprints. For example, enabling the automated granting or revocation of permissions through auto-generated access policy recommendations with tools like Slack, Jira, ServiceNow, Jenkins and Terraform, or tools for automated patching.
Step 3: The Right Training
Finally, training complements the DevSecOps building blocks trio. It is essential to conduct repeated security training sessions for engineering teams. These sessions should provide them with know-how about security terms and practices like IAM, OWASP, cloud misconfigurations and more. In addition, the sessions should include training on the security tools in use, to ensure engineers can use them easily and comfortably.
By making such training sessions part of the engineering routing, everyone in the organization will follow the same security standards. This is not just because they will have more knowledge. Training also creates willingness and motivation. According to the Sonatype survey, developers who receive code security training are five times more likely to enjoy their work. And happier developers means higher productivity, less churn and, in general, just shows you’re doing the right thing.
In our conversation Idan noted that he invests considerable time in his own professional training and development. Technologies are constantly changing. DevSecOps leads need to stay on top of new cloud security technologies, tools and trends to keep their organization’s solutions up-to-date and effectively train their organization’s engineers.
Next Steps for DevSecOps
DevSecOps is intended to remove organizational friction when implementing security. Wherever you are in your DevSecOps journey, it’s important to ensure you or your DevSecOps professionals take the time to build a DevSecOps culture, find the right tools and conduct security training.
When choosing your DevSecOps tool, start by identifying the problem you want to solve. Is it OSS library vulnerabilities? Container security? Web application vulnerabilities? Toxic permissions? Do some research and map out the market.
Once you’ve narrowed down the list, ensure your tool provides DevSecOps, DevOps and other engineers with visibility into findings, context for the issues found, remediation functionalities, integrations into the SDLC stack, integration with existing workflows and development time savers like Just in Time access.
Finally, after signing with the vendor, conduct training on the cloud security tool with everyone involved. Make sure they all experience the “Aha!” moment and perceive the tool as an integral part of their day-to-day development efforts. Successful implementation of these three characteristics is the sure path to DevSecOps success.
*Special thank you to Idan Pinto, esteemed DevSecOps professional, who replied swiftly to our random LinkedIn ask and openly shared his thoughts on the DevSecOps experience.
Curious to know which roles cover security in different organizations? Find out in a recent survey on cloud security maturity here.