3 minute read
Best Practices in DevSecOps
As agencies get more experience with DevSecOps, essential principles have begun to emerge. They include:
Treat security as a shared responsibility.
Advertisement
Successful DevSecOps teams recognize that security is the responsibility of all team members, not just the security professionals on the team. Not everyone needs to be an expert, but they need to buy into the security objectives. Enlist leaders to support cultural change. Since DevSecOps requires that kind of transformational change, it means getting support from the top of the agency. Key steps — such as developing a comprehensive plan, educating developers, and ensuring cooperation among IT, security, and business teams — depend on leaders’ support. And when there is a leadership change, educate the newcomers and earn their commitment.
Starting small provides room to fail, adapt, learn
and grow. Although Platform One is a very visible success story for the Air Force, DevSecOps started with a single specific project, laying the groundwork for the expansion to come. Use automation as much as possible. Security is essential, but the goal remains to speed up development and deployment times. Automation can do both for software development through tools such as dynamic application security testing, static application security testing and automated configuration. By embedding security controls early in the process, automation can ensure the consistency and reliability of testing and secure coding in a CI/CD deployment environment.
Teach security as part of the DevSecOps team’s
ongoing training and skills improvement. In addition to building team rapport, it helps educate programmers on secure coding practices, which in turn builds team chemistry and further speeds the process. Test everything. Continuous security testing is an essential element of DevSecOps, but it has to apply to everything, including the front and back ends, units, APIs, databases and passive security. Threats exist across a spectrum of techniques and tactics,
so security testing has to match. Tailor tools to the job at hand. The suite of tools to be used should be tailored specifically to the job at hand and understood and used by all the team members equally: developers, operations teams and security experts.
Adapt continuously. One fundamental lesson in IT operations is that there never is a finish line. Change is the only constant, so agencies need flexible policies and processes that can adapt quickly to changed circumstances.
Plan on building to scale. Agencies with DevSecOps initiatives need to work with a cloud platform that enables that scalability.
Emphasize transparency. At a micro-cultural level, the most successful DevSecOps teams are transparent with one another, understanding each team’s core functions, strengths and limitations. And
they play to those strengths.
DOD’S 4 BEST PRACTICES
DoD released its OSD DevSecOps Best Practice Guide in January 2020. At the 30,000-foot level, it identifies four broad best practices. They include:
» Shifting the culture, including building organizational buy-in and creating a “shift left” mentality. This creates a checks-and-balances system of increased touchpoints among the disciplines earlier in the development lifecycle.
» Automation of manual processes, including continuous integration, monitoring and defining metrics as the source of DevSecOps’ value proposition.
» Infrastructure as code — having a scripted and version-controlled infrastructure — provides consistency, repeatability, reviewability and verifiable environments.
» Pitfalls and bad practices to avoid, such as overemphasis of pipeline tools and vendor lock-in, or becoming dependent on an entire suite of tools from a single vendor and creating obstacles if a single service needs to be replaced, risking a break in functionality.
THE DEVSECOPS MINDSET
Transportation Command’s Crist offered his own five recommendations, with an emphasis on coming at DevSecOps with the right mindset:
» Don’t wait; it looks complicated, but start doing the research.
» Realize you’re not alone; reach out to agencies that have already implemented DevSecOps and ask for help. That could be Crist’s office, Platform One, AFC or the Department of Veterans Affairs.
» Don’t reinvent the wheel (another reason to ask for help).
» Recognize that cultural change is harder than program changes.
» You need at least one person whose sole job is pushing the commitment to DevSecOps.
MEASURES OF DEVSECOPS SUCCESS
As part of its DevSecOps Tech Guide, GSA identifies five metrics for assessing DevSecOps performance:
» Deployment frequency » Lead time
» Detection of threats, security defects and flaws » Mean time to repair » Mean time to recovery
