The explosion of DevSecOps has caused a lot of excitement and worry within the cybersecurity community. It is no longer of question of should an organization implement DevSecOps, but rather when and how? While the scope and complexity of DevSecOps may initially seem daunting to security professionals, there are a few important points that can be kept in mind to implement an effective DevSecOps programs that can enable an organization to increase the velocity of their software releases but remain secure at the same time:
- Remember that tools are your best friend. The speed of DevSecOps makes manual testing/review simply too cumbersome to be effective. Find out which security tools best fit into your delivery pipeline, and work with the teams to effectively integrate them so that your security controls are an integral part of the framework. At a bare minimum, you should be having secure code reviews and automated security scanning for every software deployment.
- Automate the decision-making process. One of the key things I realized during implementing security controls in DevSecOps is that none of the automated security testing mentioned previously will make any difference if decisions are not made immediately based on their results. Jobs need to intelligently succeed/fail based on security success criteria that the security professionals and developers need to sit together and define. Certain things will be showstoppers for which the developers will need immediate feedback, while others can be fixed later, but this decision-making framework needs to be automated, with immediate results being sent back to all relevant teams.
- There is no escape from coding. As much as I would like to say that every organization has enough budget to hire dedicated security professionals with deep coding experience, that is simply not realistic. DevSecOps often needs security professionals to roll up their sleeves and dig in to the code to find out why jobs are failing, application programming interface (API) calls are not being triggered, etc., and developers will get frustrated if security professionals are not able to provide answers for such problems. Investing in security training for developers and coding training for security professionals will reap huge dividends in the future and help break down silos, enabling a faster cultural shift to DevSecOps at the ground level.
Read Taimur Ijlal's recent Journal article:
"Three Strategies for a Successful DevSecOps Implementation," ISACA Journal, volume 4, 2019.