By Joey Campione, Managing Director of Opticca Security
Companies embracing emerging technologies, such as open source, IAAS and PAAS are impacting industries like never seen before. Google, Amazon, Uber, Airbnb, and Netflix have set the bar for companies that are disrupting markets and showcasing the business advantages of DevOps at a global scale. Increased market share, massive reduction of technical debt and attracting the world’s best talent are a few of the key benefits experienced by the above mentioned organizations.
As recently experienced by Equifax, the challenge of improving your security while considering how to implement these latest trends can be daunting. These challenges are primarily caused by aggressive release timelines driven by a competitive need to constantly deploy new features and apps to enhance the user experience. Thankfully, we have examples of companies that have successfully addressed both challenges simultaneously by utilizing a combination of methodical security approaches and niche technology solutions. As an example; Open Source SAST (Static Application Security Testing), Next Generation WAF and open source compliance solutions are gaining popularity with forward thinking IT departments to facilitate the transition to more agile development environments. Following are three recommendations to help properly embrace security into your DevOps journey which yield tremendous financial benefits and opportunity for further DevSecOps collaboration.
How do we get there?
Learn the particulars of DevOps and visualize where security will ideally fit into the SDLC
A good understanding of the Continuous Integration/Continuous Delivery (CI/CD) pipeline will help you utilize the right tools and processes to accomplish security tasks quickly and efficiently. Embedding security early on in the SDLC and familiarizing yourself with open source components already being used by your application development team is a great starting point. Automation & provisioning for tedious lengthy manual tasks will definitely improve efficiency, employee morale and highly reduce risk.
Encourage, Share and Enable
Culture change is never easy and is typically enforced from the top down. Lead and encourage collaboration among the DevSecOps teams. Share responsibilities and prioritize execution with everyone on the same page. Lastly, evaluate and implement technologies that enable security and developers to work in harmony with a common goal in mind; “deliver quick, efficient and secure” early on in the process.
Don’t bite off more than you can chew
We agree with an ambitious attitude, however, our experience dictates that a “stepping stone” approach typically yields better adoption and success for the long term. Due to the high level of exposure and diverse company experience, working with a strong consulting and services partner may be a good option when building out a new project or validating current methodologies. Best practices are great guidelines but every environment and organization is unique. Creating a holistic plan with pragmatic objectives will likely get a higher buy-in from your colleagues and executive stakeholders. Set expectations accordingly and focus on “quick wins” to help build momentum.
We are no longer operating in a time where these methods are still questionable. Today’s reality is that IT needs to be agile, lean and continuously improving at an accelerated rate. There are proven methodologies, technologies and approaches which can help you build a solid culture and synchronization between development and security. This now allows us to embrace DevOps and deliver secure applications at a rate we never thought imaginable.