In our last blog ‘Rugged DevOps Invites Security to Join the Party’, I hopefully convinced you to embrace Rugged DevOps.
The heart of Rugged DevOps is taking the DevOps mindset to the next level by adding security to the mix. This means collaboration between development, operations and security, allowing security to be involved from the beginning of your software development lifecycle (SDLC).
“How can I achieve this?” I’m glad you asked. Here are the 7 essential steps to get your DevSecOps team off the ground and running
#1 Shift Security to the Left, Right!
Those of you already doing DevOps shouldn’t be surprised to hear that you need to shift left security. After all, checks and tests should be there from the day you start coding. So why not invite security to get involved.
As is discussed in our post ‘3 Hidden Costs for Not Managing Your Open Source’, the earlier you find a security issue in development, the cheaper, quicker and easier it is to fix. Our selection tool browser plug-in is such an example of how security can be checked before a component is even integrated into your software. Our service is a browser plug-in which enables developers to see security vulnerabilities or severe software bugs in any versions of an open source library they are viewing online. Furthermore, our plug-in lets the developer know the component’s license information, if it’s already in use and whether it passes your enterprise’s open source policy. All this means developers can make better decisions about what open source components to use from the outset.
By empowering your engineers to focus on security, you are greatly reducing the risk of adding vulnerable components within your software, meaning fewer delays further down the line. So, now we’ve established security testing should be with you from the beginning of development, how often should it occur?
#2 Set Your Testing to Auto-Pilot
As those of you already doing DevOps know, automated testing is a key part of its success. The beauty of automation is it allows you to run tests more often as you are no longer reliant on your engineers running them manually. Furthermore, the accuracy of testing is much higher, as there is no space for human error. So, what benefits does automated security testing have in store for your software development?
As you know, your engineers’ main priority is writing new functionalities for your enterprise, not security testing. By automating your security testing, developers can run tests at a push of the button, meaning you can radically increase their frequency. Furthermore, if you are relying on manual security testing, it’s inevitable that some security vulnerabilities will slip through the net. Yet by automating the process, you can be sure that all identifiable bugs are uncovered. Ultimately you will catch more security vulnerabilities during development, and your developers can focus on writing kick-ass code rather than security testing.
So now you are able to identify security issues from the first line of code, the next step is to recover faster when you do experience security issues.
#3 Climbing Back on the Horse, Faster
With developers updating software at breakneck speeds, and operations rushing to get it out the door, DevOps does come with risks. However, that very velocity means when problems do arise, their MTTR (mean time to repair) has to be short and sweet. Once again DevOps’ spirit of knowledge sharing comes to save the day. By promoting collaboration between development and IT, operations are able to identify the root cause of issues, thus contributing to a radically reduced MTTR. The power of DevOps to reduce MTTR is clear, with Puppet’s State of DevOps report revealing that high performing IT organizations (who of course are performing DevOps) have X24 faster recovery speeds compared to their lower-performing peers. However, by DevSecOps supplying a healthy security injection, you can be even faster.
When a security event does occur, your security team no doubt goes into overdrive to find and repair the issue or vulnerability at hand. However, if they are unable to identify the root cause of the issue, this can severely affect your MTTR. What is the solution I hear you ask? DevSecOps of course. By embedding security tools throughout your software pipeline, developers and security will gain security insight into what components are used in your software, including all dependencies and sub-dependencies. No more will your security teams have to look for the needle in a hack stack when the security sirens sound, instead they can put the fire out straight away. However, all of this speed may be in vain if your engineers, operations and security professionals are not all singing from the same page.
#4 All Pushing in the Same Direction
Through DevOps opening up communication and operations between engineers and IT, the two have been able to set shared goals, and work in tandem towards their achievement. Increased deployments offer a good example. As Jez Miller from Heartland testifies, de-siloing the two teams and getting them to work with common tools allows enterprises to drastically increase deployments. The proof is in the pudding, with enterprises performing DevOps doing x200 more deployments compared to their counterparts. With the benefits of cross-team goal sharing there for all to see, don’t you think it’s time security joined the conversation?
As with DevOps, the key to DevSecOps’ success is in opening up communication between different teams and ensuring everyone is striving towards the same KPIs. You’ll be glad to hear that DevOps’ KPIs not only remain unchanged under DevSecOps, but they are bolstered by security adding KPIs of its own. DevOps’ goals of faster deployments and reduced MTTR, and security’s KPIs of reducing the (re)occurrence rate and remediation time of security issues are a good place to start. By your whole DevSecOps team integrating security throughout your pipeline, infrastructural repairs will be swifter, meaning a more efficient deployment cycle.
However, for your DevSecOps team to attain shared goals, they must also set best practices to ensure each department bolsters rather than hampers the other. For example, despite the number of times your developers hear they shouldn’t copy and paste open source code, it’s often hard for them to resist due to its ease. But with DevSecOps, security can demonstrate to developers that copy and pasting is not the way to go, as the practice makes it impossible to track the usage of open source components. So now your development, operations and security teams are all reading from the same script, you need to be sure that security can adapt its mindset to your new DevSecOps reality.
#5 Time for Security to Have a Micro-Makeover
For too long security has been perceived to be at odds with DevOps’ mindset. Rather than security being part of its path of incremental improvement, it has taken an ‘overseer’ position via setting exhaustive policy documents. But now DevSecOps is here, it’s time for security to change.
Security now needs to be involved with development and operation’s practices and processes on the ground level, skewing them to be more secure. So, instead of setting detailed roadmaps, security should focus on more actionable objectives, such as decreasing vulnerabilities’ remediation time or inserting static analysis after a developer checks in code. By security getting involved in micro processes, it will be able to contribute to a macro result. However, Rugged DevOps isn’t all about benefitting your security professionals, developers also have a lot to gain.
#6 Empowering Developers to do Security
DevOps is all about empowering developers to make the right choice the first time by giving them the right tools. However, developers currently don’t have all the tools they need to code securely. And once they’ve written the code, they have to wait for security and QA feedback. So, all you need to do now is give development the ‘rugged’ treatment.
If done right, a large portion of security issues can actually be resolved by developers themselves. Developers at the end of the day want to code securely, because any security issues could potentially lead to unplanned work cropping up in the future. Here are a few suggestions to empower your developers to code more security: -
- Giving developers spell-check alerts if any of their code has security issues
- Giving developers access to information in their IDE which let them know if a component they’re about to use is vulnerable
- Enabling developers to identify component dependency and sub-dependency vulnerabilities
- If a vulnerability is detected, information regarding any available patches, fixes or newer versions
However, in order for your developers to embrace security, first management needs to promote this cultural shift.
#7 Changes in Culture Start at the Top
If you’re doing DevOps right, your enterprise no doubt has a leader who isn’t afraid to shake up the status quo of how developers and operations work together. Ruslan Meshenberg (Director of Platform Engineering) and Josh Evans (Director of Operations Engineering) at Netflix offer such an example.
Due to Netflix’s massively distributed cloud infrastructure, operational bugs are inevitable. Therefore, these two guys decided if their system is going to fail, they will control its failure and proactively identify and resolve any weaknesses. At this point, Meshenberg and Evans gave their teams the freedom and authority to engineer a solution together. And so the Simian Army was born. This suite of automated tools randomly shuts down individual/cluster level servers to check for automatic resilience. Through Mehsenberg and Evans having the courage to promote true collaboration across their teams, Netflix can now be confident that their customers streaming enjoyment won’t be disrupted.
Just as with DevOps, DevSecOps needs brave and bold leadership to take hold within your enterprise. Managers need to empower their professionals by giving them the authority, responsibility, and tools to build more productive developing environments. Leaders need to understand that in order to build efficient quick systems, less not more supervision is needed. After all, professionals need the freedom and confidence to collaborate and innovate together.
A DevSecOps Recipe for Success
And there you have it. 7 essential steps to ensure your enterprise is rugged through and through.
With development, operations and security all working in unison, you will no doubt soon start to enjoy a more agile and higher velocity software development lifecycle.
Have you already adopted DevSecOps or are you thinking about it? Let us know.