DevSecOps — a new paper by Microsoft and Sogeti
6 tips to put security into your DevOps practices
The rapidly changing world of DevOps and its role in enabling business is fascinating. That’s why I’m excited at the launch of a new paper that I and my colleagues at Sogeti have written in partnership with a great team at Microsoft. The following excerpt gives you a flavor of the paper, which I urge technical leaders and anyone working in DevOps, security, and wider enterprise IT to read.
Throughout the years, software development practices evolved to serve the needs and the speed of business. Recently, DevOps methodologies provided software engineers and operations teams with a faster and more efficient way to develop code. However, efficient DevOps practices uncovered a new bottleneck, pushing security to the end of application development and management. This bottleneck is part of the reason organizations typically take 218 days (GitHub, Octoverse Security Report, 2020) to uncover a security vulnerability, which can be extremely costly. NIST (Security Boulevard, The Importance of Fixing and Finding Vulnerabilities in Development, 2020) estimated the cost of fixing a security defect in production can be up to 60 times more expensive than during the development cycle. Which is why research by McKinsey (Microsoft, Developer Velocity: Lessons from Digital Leaders, 2021) indicates embedding security early into the stages of application development and management—or shifting left—is a major investment focus for digital leaders. These leaders recognize that integrating security into their pipelines and leveraging modern platform capabilities is the next logical evolution of the DevOps methodology, DevSecOps.
Now, the issue facing digital leaders is the security and compliancy of their code, workflows, and infrastructure—all of which deal with external pressure from tight delivery deadlines. To make rigid deadlines, organizations often forego security best practices and deploy code with known vulnerabilities. Compliance also remains a key issue due to relating audits’ exhaustive and time-consuming nature. Forbes reports “Some CISOs spend 30% or more of their time dealing with compliance issues.” (Forbes, Awash In Regulations, Companies Struggle With Compliance, 2019) So how can your enterprise harden security and address compliance at the same time?
Yet again, the answer is collaboration. It’s time to include security within your DevOps teams. Your DevSecOps team’s collaborative success relies on shared tooling and visibility into application health at every stage of application development and management (ADM). Through early detection, organizations drive efficient and cost-effective fixes of security vulnerabilities. At the same time, capturing opinionated insight at every stage of ADM enables organizations to achieve continuous compliancy. The most challenging task is to make security complement existing business processes, culture, and people. It’s crucial to develop cross-function collaboration and unite development, security, and operations teams around the culture of security as a shared responsibility.
Improving security posture isn’t just about moving security to an earlier phase of ADM, it’s about adopting a different way of working, one that emphasizes cross-team collaboration, shared empathy, and shared responsibility. Ideally, security is baked into ADM, so teams don’t see it as an extra step but as an integral step to software delivery. Embracing DevSecOps requires organizations to shift their culture, evolve existing processes, leverage modern platform capabilities, and strengthen governance.
The following 6 tips aim to help IT professionals working in this area to integrate security with their DevOps practices:
Tip 1: Build a security-first culture across the business
Developing a security community in your enterprise improves buy-in across the organization and energizes employees.
Tip 2: Integrate security in the early stages of the development lifecycle
Thinking about security upfront and embedding security practices early will help you avoid vulnerabilities and common roadblocks.
Tip 3: Monitor and observe continuously with purpose
Planning out objectives for continuous, context-based monitoring and observation enables your enterprise to be more proactive against threats.
Tip 4: Embrace everything-as-code
Adopting an everything-as-code approach helps your enterprise’s deployment reliability, version control, and testing effectiveness.
Tip 5: Realize compliancy with policy automation
Both the regulatory landscape and the software it governs are constantly changing, demanding an automated approach to policy compliance.
Tip 6: Secure and visualize your software supply chain
Understanding your software systems dependencies stemming from open source and third-party platforms, frameworks, and components further secures your software supply chain.
Read the paper
Each of the 6 tips is expounded in more detail in the paper, which also features use cases illustrating how DevSecOps teams can create value from new DevOps tooling, approaches, and cloud capabilities.