"Shifting left," the latest buzzphrase for pushing responsibility and functionality to the beginning of the software development lifecycle, is a good idea, but more is needed -- especially in DevOps situations, in which software moves through fast, and in an automated fashion. Organizations with highly integrated security practices are well ahead with DevOps as well.
Hence, the increasing emphasis on expanding the DevOps term to DevSecOps -- as explained in this Red Hat overview, DevSecOps means "thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down.".
DevSecOps may seem like a dry, highly technical and siloed pursuit, but in practice, it is shaped by an open culture that seeks to deliver innovation at the rapid pace customers increasingly require. "Firms that are undergoing DevOps transformations want and need guidance on how to integrate security," state the authors of a recent survey released by Puppet, CircleCI and Splunk Inc.
The Puppet/CircleCI/Splunk survey, which involved 3,000 developers and managers, validates how DevSecOps enhances the entire DevOps practice. The survey finds that teams at higher levels of DevOps practices have automated their security policies, and they involve security teams very early in the software development lifecycle -- including the planning and design phases.
Twenty-two percent of the firms at the highest level of security integration have reached an advanced stage of DevOps evolution, compared to only six percent of the firms with no security integration.
Firms at the highest level of security integration, the survey shows, are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration - 61 percent are able to do so. Only 49 percent of organizations without integrated security can deploy on demand.
A strong DevOps culture also supports stronger security, the survey finds. This is defined as "a culture of sharing, where teams collaborate using common tools and work towards common goals; where delivery teams have strong autonomy, yet it's relatively easy to cross organizational boundaries to get work done."
What's the best path to DevSecOps? Cisco, a sprawling tech organization with a huge business stake in secure software delivery, has been employing DevSecOps methodologies to assess and improve the security posture across its many cloud-based outlets. In a recent post, Steve Martino, senior vice president and chief information security officer for Cisco, shared details of his company's journey:
- Establish a foundation. "Using clearly defined guiding principles to drive security throughout the development process helps establish mutual trust among the engineering, operations and security teams," Martino writes.
- Prove it out first. "At Cisco, we ran an Agile security hackathon with participants from the Information Security and application teams to first configure the most important security requirements - what we call the guardrails."
- Automate your guardrails. "Provide an easy way for your teams to apply the guardrails, such as at the time of new account provisioning. Also develop simple scripting to retrofit those with existing accounts."
- Continuously validate. "As new resources are on-boarded or other changes occur, keep guardrails up-to-date with constant security validation and real-time monitoring of security logs. Consider creating security health reports based on specific scoring or grading criteria to send to department tenants on a regular basis."