Two major shifts are affecting organizational cybersecurity posture: digital product and service offerings are increasingly powered by mobile, cloud and data analytics; while developers of those products and services are migrating to Development Operations (DevOps) processes for greater agility and scale. Because both of these trends have security implications, CISOs are innovating approaches to build security in and shift it to a shared responsibility between the development and IT teams.
A new practice of DevSecOps—bridging DevOps workflows with Information Security (InfoSec) Operations—blends constructs familiar to both groups. Here are a few tips on how to start a DevSecOps initiative:
- Establish the foundation. Using clearly defined guiding principles to drive security throughout the development process helps establish mutual trust among the Engineering, Operations and Security teams. This is also how expectations for mutual accountability and high security standards get defined. The org manifesto offers a great starting place. Their guidelines can be readily modified to fit a company’s unique requirements.
- Prove it out first. It’s best to prove ideas manually before automating them. At Cisco, we ran an Agile security hack-a-thon with participants from the Information Security and application teams to first configure the most important security requirements – what we call the guardrails. Start by defining what your guardrails should be in the context of what platform you’ll use. For example, our first target environment was built on Amazon Web Services (AWS), so we defined 10 guardrails for our AWS accounts that fit our specific requirements. Then, conduct a hack-a-thon as you would for other Agile development efforts. Post-test readouts help the entire team be knowledgeable and support users in DevOps fashion.
- Automate Your Guardrails. Provide an easy way for your teams to apply the guardrails, such as at the time of new account provisioning. Also develop simple scripting to retrofit those with existing accounts. This likely will require coordination among multiple teams – InfoSec, IT, Supply Chain, Procurement and possibly others. We achieved the security automation via our own tool we call the Continuous Security Buddy (CSB), which is built on several AWS services.
- Continuously Validate. As new resources are on-boarded or other changes occur, keep guardrails up-to-date with constant security validation and real-time monitoring of security logs. Consider creating security “health reports” based on specific scoring or grading criteria to send to department tenants on a regular basis. That will empower tenants to address any critical security findings in a timely manner, and enable a cycle of teams always integrating and deploying code while getting ongoing security assurance…