Two major shifts are affecting organizational cybersecurity posture: digital product and service offerings are increasingly powered by mobile, cloud and data analytics; while developers of those products and services are migrating to Development Operations (DevOps) processes for greater agility and scale. Because both of these trends have security implications, CISOs are innovating approaches to build security in and shift it to a shared responsibility between the development and IT teams.
A new practice of DevSecOps—bridging DevOps workflows with Information Security (InfoSec) Operations—blends constructs familiar to both groups. Here are a few tips on how to start a DevSecOps initiative:
- Establish the foundation. Using clearly defined guiding principles to drive security throughout the development process helps establish mutual trust among the Engineering, Operations and Security teams. This is also how expectations for mutual accountability and high security standards get defined. The org manifesto offers a great starting place. Their guidelines can be readily modified to fit a company’s unique requirements.
- Prove it out first. It’s best to prove ideas manually before automating them. At Cisco, we ran an Agile security hack-a-thon with participants from the Information Security and application teams to first configure the most important security requirements – what we call the guardrails. Start by defining what your guardrails should be in the context of what platform you’ll use. For example, our first target environment was built on Amazon Web Services (AWS), so we defined 10 guardrails for our AWS accounts that fit our specific requirements. Then, conduct a hack-a-thon as you would for other Agile development efforts. Post-test readouts help the entire team be knowledgeable and support users in DevOps fashion.
- Automate Your Guardrails. Provide an easy way for your teams to apply the guardrails, such as at the time of new account provisioning. Also develop simple scripting to retrofit those with existing accounts. This likely will require coordination among multiple teams – InfoSec, IT, Supply Chain, Procurement and possibly others. We achieved the security automation via our own tool we call the Continuous Security Buddy (CSB), which is built on several AWS services.
- Continuously Validate. As new resources are on-boarded or other changes occur, keep guardrails up-to-date with constant security validation and real-time monitoring of security logs. Consider creating security “health reports” based on specific scoring or grading criteria to send to department tenants on a regular basis. That will empower tenants to address any critical security findings in a timely manner, and enable a cycle of teams always integrating and deploying code while getting ongoing security assurance.
Learnings and Results
At Cisco, our DevSecOps adoption and the subsequent security improvements actually exceeded our expectations. Within several weeks, our minimal viable tool ran in 72% of accounts hosting Cisco’s Cloud offers; 97% of these accounts, on average, received a health score of A or B in their daily report, indicating a healthy security posture relative to the established guardrails.
The whole effort taught us meaningful lessons about moving to a new model: the need for hands-on learning; setting realistic expectations for launch then growth; detailing the full range of compliance needs; building genuine, trusting partnerships with all key internal stakeholder groups; and taking necessary but reasonable risks. A mutually respectful and cooperative culture is perhaps the most essential ingredient. Complement your InfoSec team with other appropriately skilled resources to ensure successfully delivery of your DevSecOps principles and guardrails. The collective skills and knowledge will cross-pollinate. Bringing teams together guided by a common goal is always a recipe for success.
Also see, CISO Insights: Another side to Cyber Culture