Making the transition from DevOps to DevSecOps can seem like a daunting task, however, breaking the process down into simplified steps can help to make it more manageable.
Perforce, a company that works to solve DevOps challenges recently took part in a webinar discussing the best practices for making this shift. The panel was hosted by Mitch Ashley and consisted of Steve Howard, SCA specialist and technical services lead at Perforce; Jill Britton, director of compliance at Perforce; and Stuart Foster, product manager at Klockwork and Helix QAC at Perforce. The first thing they mentioned was the importance of creating a culture of security when making the transition to DevSecOps. Howard began:
“We’ve gotta start by making sure people feel comfortable in sharing information. We really want a collaborative community around the team that is sharing the information because you never know who’s going to spot the thing that really matters.”
Creating this culture of caring about security can help empower a development team to see all aspects of a project, including security, while still in the development process, which can prevent unnecessary difficulty down the line.
Another aspect of creating this culture of security has to do with the training being given to developers entrusted with implementing security features. When development teams understand what threats and vulnerabilities they are looking for, it becomes easier to spot them earlier in the process. From that training, a DevSecOps process can be put into place to best serve the organization’s needs and work alongside tools and standards to provide the best security possible. However, according to Britton, focusing solely on bringing the development team into the security space will not be enough, it has to be an all-encompassing effort made by the entire organization. Britton said:
“It’s the developers, it’s the managers, it’s everybody that has to buy into this and take it forward. When the entirety of an organization is working together to provide the best possible DevSecOps practices, the transition becomes much more successful.”
An all-encompassing approach to security doesn’t end with the people involved, though. The panel also emphasized the importance of evaluating the current systems in place to see where they all connect and how security can further be built into the inner workings of those systems. When security plays a part in every step of the development process, it becomes much easier to spot vulnerabilities early on and resolve issues before they grow.
According to the panel, there are a few ways an organization can measure its progress toward adapting DevSecOps practices. One of the key things they mentioned was implementing a process that works to track new defects as they are introduced into a code base and reporting on them in order to be able to stop them hastily. Keeping track of new defects as they make themselves known allows for continuous improvement in security practices because it becomes a constant feedback loop.
According to the panel, having access to constant feedback makes continuous improvement throughout the development life cycle much easier to achieve. An important thing to remember about feedback tools is that they must be implemented in a timely manner; it is much easier to fix a vulnerability contextually rather than having to backtrack after the developer has moved on to a different stage of the life cycle.
Another tip the panel had when transitioning to DevSecOps is to always keep the developers in the loop. Providing developers with training and tools will allow them to get the job done but it has to go deeper than that. If the developers are aware of why they are being asked to implement these security practices, it will give them the context needed to understand their importance. According to the panel, if developers are made aware of the impact the security practices entrusted to them will have on the final product, they take security more seriously.
There are many tools that can be incorporated into the toolchain to assist developers in better implementing security practices. According to the panel, static application security testing tools (SAST) are incredibly useful throughout the process. These tools work to provide a quick way to follow coding and detect defects from patterns within the code. This essentially pulls out control flows and coding structures that will be vulnerable to a certain attack within the code base and makes the developer aware of them early on in the process.
Finally, it is important to provide developers with proof that what they are doing is working. Adding features such as a quality dashboard so that developers can see evidence that the process is working can help to ease this transition and successfully implement security into the DevOps process.