This report outlines the fundamental components of building a Secure DevOps program, broken down by traditional business units. This provides a better understanding of the objectives and methods behind a variety of Secure DevOps activities, can be applied to any organization size and can assist in the move towards modern secure solution delivery.
What is Secure DevOps
DevOps is an organizational structure that relies on different functional groups working together to improve business delivery. It is a philosophy based on combining the traditional roles and responsibilities of development teams and IT operations teams to accelerate the delivery of business value through the two teams. When work flows smoothly through development and IT operations, new software features ship more frequently, and the business becomes more competitive and adaptive in a constantly shifting market.
The central concept of Secure DevOps is the enhanced integration of development, IT operations, and security. By adding security into the original mix, the velocity for security changes increases as well. The likelihood of vulnerabilities being introduced is reduced, and the organization is able to more quickly mitigate those risks that remain.
How can I build a Secure DevOps program?
It is paramount that the organization focuses on a custom implementation for their tailored environment and goals. This includes discussing tangible actions within IT, development and security to enhance the existing culture, processes and technologies in the transition to Secure DevOps capabilities. Across the three groups, the necessary changes to the cultures of the groups are similar. Because of the vast changes to various processes, the individuals involved must be willing to undertake new programs and processes and different approaches to traditional work. And because of the assortment of new processes and technologies adopted in order to support Secure DevOps, it is crucial the organization encourages their workforce to share challenges and failures.
When failures are shared rather than hidden, learning can be propagated throughout the organization and generate future improvements.
The three groups: IT, Development, Security
The enablement of DevOps often falls on the IT function because of the focus on enabling movement to production, which is traditionally an IT responsibility. IT is also responsible for tooling in many organizations, which holds heavy weight in a saturated DevOps tooling market. But IT also directly benefits from a DevOps system that cuts costs and opens up opportunities for the team to utilize additional resources that were traditionally consumed by unnecessarily cumbersome tasks such as production migrations.
- Adopt and/or enhance existing workflow management capabilities focusing on reducing the number of items in the pipeline.
- Pursue automation where applicable e.g. containerization, orchestration, unit testing.
- Investigate alternative deployment strategies such as blue-green deployments.
The development team is commonly viewed as the focal point for the observable changes in a DevOps environment. Development is responsible for capitalizing on the capacity provided by IT and redesigning the development process, but development also has many opportunities for micro-enhancements within the business unit without full organizational cooperation.
- Reduce the amount of code per production “push”.
- Empower developers to write their own automated unit tests.
- Utilize version control systems.
- Leverage teaming mechanisms such as pair programming for collective learning.
With DevOps and new changes in the structure of the organization, security must adapt to fit the new organizational improvements. Security can also enhance their own delivery in the new structure through refined processes and the utilization of available technical capabilities.
- Consider security champion programs to enable `shifting left'.
- Integrate secure code reviews throughout development rather than just prior to production.
- Examine opportunities for SAST/DAST implementations.
- Initiate a foundational bug bounty program.
|Download the full report (PDF 2.1 MB) - Adopting secure DevOps: An introduction to transforming your organization|
A closer look at cyber security leadership.
A closer look at cyber security leadership.