Approaches to Effective SecDevOps that Everyone Can Use
Implement a company-wide security program that works really well, really quickly
By Andrew Brooks, VP of Information Security
As businesses transition toward DevOps, one of the biggest challenges leaders are faced with is how to ensure the security of applications and infrastructure while operating quickly and cost effectively.
The combination of the technologies and processes that allows security and DevOps to move in tandem is cleverly called SecDevOps. Many write ups on SecDevOps focus on the technology side of the discussion. In reality, there is no one-size-fits-all for building a SecDevOps program.
What all security professionals—and their organizations—can universally strive for is implementing a program that allows companies to achieve security quickly and effectively.
Here are some key principles security professionals should keep in mind when implementing SecDevOps programs, no matter the nature of their company or organization.
Be part of the conversation
In order for security to be fast, it must be well positioned within the organization. A security team should be a service provider that engages with multiple teams and leaders.
One of the oldest security adages is that “you can’t secure what you can’t see.” Similarly, you can’t provide security guidance and insight on projects that you aren’t a part of.
It is often the case that security team members aren’t engaged early enough in a given project lifecycle. This means that when security is finally brought to the table, security debt (meaning, a backlog of security work) has already accrued. The concept of “paying down” security debt is felt in project delays and collective frustration.
Since a successful SecDevOps program is involved with many teams, information security must be embraced by the organization as a strategic business initiative. This is the part few people mention: if this initiative doesn’t have buy-in at the highest level, then it will not succeed. Your first priority as a security leader is to usher in this shift in company attitude toward security, if needed. From there, aim to involve yourself at the ground level of new projects.
Resource constraints are often one of the most limiting factors in doing security quickly. Depending on how large your organization is relative to security staff, it can be helpful to implement the concept of security champions to help alleviate the personnel bottleneck.
Automate what you can
DevOps teams live and die by their ability automate. SecDevOps teams should be no different.
One of the most effective information security teams I’ve ever been a part of made it a cornerstone to automate as much of the day-to-day as possible. This allowed us to spend more time working with internal customers, onboarding security requirements for new projects, and building out new technology that would help us solve interesting challenges.
Having good automation in place can also help you identify when a control fails. Control failures should interrupt the automation pipeline you’ve built and trigger additional investigation. The earlier you can detect a failure in your security controls, the sooner you can remediate it. This in turn reduces your exposure, which reduces risk.
Automating risk reduction is a very good thing. Beyond automating a security team’s workflow, there are many options available for integrating security into the software development lifecycle (SDLC)—particularly continuous integration (CI), and continuous delivery pipelines (CD).
These tools should be able to identify security flaws, trigger build failures, open tickets, and notify security and development teams that a security issue requires investigation. This collective (and somewhat forced) collaboration between security and development also helps foster the concept of security as a service provider.
Capitalize on existing tools and technology
Many years ago, I witnessed one organization invest close to a million dollars in software security tools, which they then thrust upon their (very large) software development teams. The company purchased and deployed these tools without consideration to how their dev teams did their work. As you may imagine, this resulted in a colossal failure to adopt and operationalize the new security tools. The project was eventually scrapped entirely.
In most organizations, information security is a minority stakeholder. Despite that fact, it is information security that often tries to introduce new technology and workflows for the purpose of protecting the business.
Often times these tasks are carried out without understanding how dependent business units do work, which is antithetical to operating as a service provider. This invariably results in the exact opposite thing the security people had planned. Rather than participating in security activities, teams find ways to go around security. This never ends well for the business.
Some of the easiest, most effective, and least expensive security wins can be had simply by understanding the tools and technology your company uses. Once you have this knowledge, identify ways to integrate and embed security into existing processes and workflows.
For example, if an operating system needs to be patched for security reasons, use the organization’s existing ticket system to track the security-related ticket submission, workflow, and resolution. Don’t use a separate security-specific platform, which puts the burden on staff to learn and adopt a totally different platform from the one they already use for everything else. By using the same tools the rest of your organization uses, it’s a much smaller lift for everyone to promote security wins.
To Recap: Meet people where they are
As a security professional, you are a service provider for your organization. If you want to implement security that moves as quickly as your company does, you need to be in sync with your company on all levels. This means meeting colleagues where they already are—on the ground level when planning company-wide initiatives, and using software and processes they’ve already adopted.
By contouring your security strategy to integrate with existing technology, and contouring it to your users, you will become part of the conversation and process. This helps you move faster in your role, gain advocates who make your job easier, and—most importantly—keep your organization secure as a matter of daily business.