September 10, 2021 by Rupinder
One of my favorite Engineers who shall remain nameless despises the word “DevSecOps” for it has become a cliche in the industry. However, the ideas the DevSecOps practices represent are effective when applied in their spirit. I have seen these practices transform a teams' risk, improve delivery and the user experience for everyone. Security is no longer a bogeyman, but another feature of the service. When effective teams stop seeing security scans as anxiety-inducing purity tests. Instead, they are safety checks that are automated, and where vulnerabilities are triaged and mitigated like any other user story. The transformation is real and effective, but requires sponsorship and leaning in from all stakeholders.
Getting Started: Expand Your CI/CD Pipeline
In modern software development lifecycles, we rely on automation for finding errors. Every build or commit automatically runs multiple UI tests, spins up real and fake resources, and exercises API. If teams consider security another key element of their service this relationship can be transformed through the same rigors. CI/CD layer is an easy place for a team to bring security scans into their risk profile and use infrastructure they already have. Automation is your friend, making security easy for all stakeholders. We found commit hooks, build warnings, very effective tools in raising awareness.
In one project our team created a task that would scan our database instance automatically every day. Thanks to an API-driven approach the scanning tool piped its results into AWS security hub. This created a single pane of glass organization-wide leading to a cycle of feedback that helped the teams triage, prioritize and mitigate emerging security threats. You can do the same with your CI/CD environment. When done right it makes security a first-class citizen of your service.
Process Not A Gate
Security in DevSecOps practices is not a gate to pass though but part of the development process. By making security part of the development workflow we change our relationship with it. Teams should rely on automation of security scans, static analysis tools, and CI/CD integration. A gated process can spin into anti-patterns as it does not foster spirit of collaboration between Development and Security.
Make It Easy To Succeed
I have seen remarkable success when the central theme of this transformation was making it easy. If you are asking your development team to fix security holes but they cannot be reproduced, that is not set up for success. Even better why not make these scans part of your CI/CD. Similarly, if you are scanning your system once a year to pass certification you are not setting your team for success.
Lean Into It
You will likely hit pain points, your infrastructure might be too rigid. Lean into it, address the pain points. Use automation when possible to reduce the boring work. The friction points you experience when making this transformation are often technical debt you have accrued. Lean into the pain points, start addressing your technical debt into your cadence and gradually increase your coverage.
Reduce Fear & Increase collaboration
When security scans run every day the team is not deluged with security tickets. Automation reduces the burden and regularity and fear and risk teams start associating with it. Repetition reduces fear into everyday events, increasing your organization’s ability to not only protect but react quickly to any risk.
Threats are not going away, a team ignores good DevSecOps practices at their peril. So bake your security, compliance into your digital services from day 1.