As the lines between the physical and digital worlds blur, DevSecOps meets two key needs when creating software – speed and security.
Turnaround times are faster than ever. What once took years is now expected to take months or even weeks.
And in the last few years, the threat posed from cyberattacks has grown. Organisations are beset by highly organised and motivated criminals, with an attack capable of having severe repercussions.
The question then becomes how do you balance speed and security?
DevOps was a natural solution for companies looking to work faster – integrating development and IT operations allowed companies to ensure new products had adaptability built-in from the start, reducing delivery times
However, this approach leaves out security. Too often, building security into software was left until late in the development cycle. This created a bottleneck in a system designed to be as fast and efficient as possible, as lengthy testing and quality assurance cycles delayed release. And if flaws were found, it was difficult, expensive, and slow to go back into the development cycle and fix them.
DevSecOps is the natural evolution of DevOps – integrating security into the development process. Security issues are identified and remedied as they come up, removing the need for lengthy security testing at the end.
While the approach offers many benefits to organisations, implementing DevSecOps comes with challenges. However, new technological solutions, such as the rise of cloud computing, are helping solve these problems.
DIGIT spoke with cloud security architect lead Dr Wendy Ng about the lessons she learned from creating a DevSecOps system for information services company Experian.
“DevOps has three fundamental principles,” Ng says. “The first is shared responsibility. Historically, development and operations are separate fields, with contrasting remits – new features and functionality for the development team, system stability for operations.
“The solution combines the remits through small iterative changes that are more stable to implement. Additionally, instead of passing ownership between two teams, a single team is responsible for the full lifecycle of an application.”
However, since the creation and popularisation of DevOps, the cybersecurity landscape has evolved. In recent months, there have been a raft of zero-day exploits, perhaps most prominent being the Microsoft Exchange attack. This has made security more of a priority than ever.
Until relatively recently, security was still seen as an IT issue. The temptation was to solve it from the top down. To meet the new security challenges, a new approach is needed.
“When done well, DevOps ought to include security. DevSecOps is the first time security, including team members with a security remit, is explicitly incorporated into the Agile way of working.
“Logistically, and from a cost standpoint, early detection of security vulnerabilities reduces the cost of remediating vulnerabilities,” Ng explains.
DevSecOps provides a way to ensure that security can keep up with rapid development cycles. Furthermore, it leverages recent advances in technology, such as automation.
“Another core concept of DevSecOps is agility. Whilst DevSecOps is not only about technology, it is definitely supported by technology and automation. Automation, through scripting for tasks in the software development pipeline, also ensures consistency and help with documentation. Actions are effectively recorded by the scripts.
“Additionally, the orchestration platforms will assist with guardrails such as access control, and can be used can produce logs, and analytics allow granular tracking of development and deployment bottlenecks.
“This would allow teams to monitor their progress and make adjustments rapidly. Instead of relying on anecdotes and potential reporting bias, the metrics ought to be increase visibility on the actual progress made by the team.”
However, while many companies have tried to make DevSecOps work, there are relatively few success stories.
“How a company makes their transformation will depend on their starting point,” Ng says. Having developed Experian’s DevSecOps, Ng’s experience gives her a unique insight into the challenges presented by the approach.
“Experian is a multinational, present in over 40 countries with an employee base of over 80 nationalities. The company had development teams on just about every continent. It was also quite a ‘mature’ organisation which operated on a federated business model.”
With diffuse operations, different teams had their own preferred tools and practices. One of the first goals of the programme was to consolidate all these methods, reducing redundancy and increasing transferability and communication between different teams.
“Having a large array of tools may actually stifle collaboration and innovation. It certainly doesn’t help with sharing collateral if teams are on different platforms,” Ng says.
“We were under no illusions that this would be easy, especially for an organisation which is actively serving customers. However, by spending time to speak to the team, get their feedback, we gained their trust. We also made sure we were transparent with the process and devoted time on ‘playbacks’ to the team so that they understand how we made the decisions.
“Getting stakeholder buy-in really is key, even if we couldn’t propose their favourite tool as the enterprise offering,” Ng adds.
Working at such a large company presented another major challenge for Ng – integrating so many geographically separated workers. For large companies with a similar large workforce, this is a major obstacle to integrating different teams.
“Another potential challenge is that even within a single development team, we’re often dealing with different cultures,” Ng notes. “In fact, even the ‘core’ transformation team had at least four nationalities. Fortunately, I found that transparency and using simple language works well, especially for stakeholders whose primary language is not English.
“The team made sure that we spent time sense-checking understanding and we did not make assumptions which were not valid. This allowed us to build trust, which is critical.”
“Perhaps the most important ingredient for a successful DevSecOps transformation programme is cultural change,” Ng says.
Indeed, DevSecOps is based on a radical shift in attitude towards security. Good security is also behavioural rather than just architectural – everyone in an organisation needs to act securely to protect an organisation and its assets. After all, what use is a strong gate with a secure lock if someone leaves the door open?
“DevSecOps is a proponent of shared responsibility and accountability. Everyone within the product team is responsible for and accountable for the full lifecycle of their product from its inception, including security.
“And it should be the same team who is involved in design, development, deployment and operations and until the product is retired. This means as a team, they need to adopt new skill sets and support each other since their ‘personal’ success is directly related to how well the team performs – it really is a case of ‘stronger together’.
“DevSecOps also has a big emphasis on automation, which will provide metrics, thus visibility, that the teams can action on through a process of continuous improvement. It’s very much a mindset change that effectively involves conducting small ‘experiments’ – try something, within reason and with a clear rationale, and find out. That way we will also have real data from which we can make decisions from.”
- Hybrid Cloud | Making the case for enterprise adoption
- WhatsApp defends end-to-end encryption in new ad campaign
- Heriot-Watt campus to house clean energy solutions research centre
However, among the challenges Ng faced was creating this cultural shift.
“We wanted to make the process as egalitarian as possible, so that we have both informal and structured conversations with every development unit at Experian, regardless of where they are located,” Ng says.
“We were also working on a fairly tight deadline, so a decision was made early on that even though travel was still permitted as it was pre-Covid, for efficiency’s sake, we leveraged telecommunications technologies as much as possible. This meant we didn’t have to travel to all four corners of the Earth to make sure we get input and feedback from the team.
“Again, to ensure collateral and notes can be accessed by stakeholders, we made sure processes were recorded and clearly laid out so that anyone who came after us could review what the team did.”
In many ways, DevSecOps builds on the agility and flexibility offered by the cloud. New code can be added to and retrieved from repositories, tested, and approved for security concerns.
With everything stored in the cloud, traditional silos are broken down. This transparency allows development, operations, and security teams can all see what the other is doing.
“Technically, in terms of toolset and workflows, it is far easier to implement DevSeOps on a public cloud platform,” Ng says. “There are also big communities of practitioners on these platforms who are able to share experiences.
“A bigger community of users makes it easier for investment decisions to improve the platform and/or address technical issues. Whilst it is possible to implement DevSecOps with on-prem systems, and sometimes it’s a requirement from the regulatory standpoint, in my experience, I have found it to be easier on public cloud platforms.”
Furthermore, the cloud helps bring together diffuse workforces. As the number of remote workers has skyrocketed due to the coronavirus, and likely to stay high as more people transition to hybrid working, cloud technologies have proven invaluable.
“It is perhaps no coincidence that we’re seeing a tremendous amount of activity and investments from organisations on this as the workforce become more distributed, especially since the pandemic,” Ng adds.
Join the Debate: Cloud First Summit
Dr Wendy Ng will discuss how cloud technology can help enable a DevSecOps approach at the Cloud First Summit, held virtually on the 23rd of June.
For more information and details on how to register for your free place at the Summit, please visit: www.cloudfirstsummit.com