DevSecOps Is a Culture Issue
A recent virtual roundtable sponsored by Snyk titled “Silos Decoupled: The Case for Shifting Left and Right” brought together CDOs and CISOs to discuss silos and shifts. The roundtable was held under the Chatham House Rule.
“One of the areas we’re interested in is the changing role of the CISO and security teams in DevOps,” said moderator and editor-in-chief of CDOTrends Winston Thomas. “We’ve heard the terms 'shift left' and 'shift right' often, but what does that mean in practice for security and development teams — who all too often still eye each other suspiciously?”
The objective of the discussion is to find ways to bring these teams together and help create a foundation for a robust and thriving DevSecOps culture.
DevSecOps
DevSecOps is a portmanteau that incorporates the terms development, security, and operations. Although the two concepts share several best practices, it's not to be confused with DevOps. “At its most successful,” says Wikipedia. “DevOps is a combination of specific practices, culture change, and tools.”
DevSecOps dovetails with DevOps and allows for security practices to be integrated into the DevOps approach. “Contrary to a traditional centralized security team model, each delivery team is empowered to factor in the correct security controls into their software delivery,” says Wikipedia.
Keep the focus on the organization's goals
According to research firm Gartner: “DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture), and it seeks to improve collaboration between operations and development teams. DevOps implementations utilize technology — especially automation tools that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective.”
Culture clash
Keep the focus on the organization's goals: the culture of any given company is a critical factor. “DevOps is as much about culture as it is about the toolchain,” says Wikipedia.
“DevOps initiatives can create cultural changes in companies by transforming the way operations, developers, and testers collaborate during the development and delivery processes. Getting these groups to work cohesively is a critical challenge in enterprise DevOps adoption.” Attending DevSecOps gurus agreed.
Creativity, innovation, rapid feedback
Moderator Thomas kicked off the online discussion by asking Stephen Singam, group chief information security officer at DKatalis and Bank Jago, about his experience integrating security development in companies. “What worked, and what did not?”
“DevSecOps is creative and innovative, so it's very hard to measure,” said Singam. “What we've done right is to have a cultural shift. How do we help developers to make sure they feel successful? Work backward, reward aspiration, work from beginning to end.”
“Culture first, strategy second”
“DevSecOps is very fast — on-the-fly. We strive to enable feedback loops quickly, near real-time,” Singam continued. “Even if the answer is 'no,' we try not to say no [right away] but compromise. It's culture first, strategy second.”
Prioritize your lists
“Often in DevSecOps, the security team sends a bug list to developers,” said Lawrence Crowther, head of solutions engineering for APJ at Snyk. “The issue isn't the list; it's the context. Make sure the list is prioritized. Focus on the top five things first, the low-hanging fruit.”
Crowther cited healthcare as an industry with issues including sensitive data. “Healthcare, like a lot of other traditional industries including banking, insurance, and manufacturing, needs technical depth,” he said. “To do DevSecOps at scale, you need a DevSecOps culture and agile development as well. In the healthcare space currently, there's a lot of innovation, but still, a long way to go.”
Singam mentioned that there's an “elephant in the room: It's not just security and development [in isolation] here — we have to talk about the business. Operations want availability and security while developers want it faster, and sometimes management simply doesn't understand.”
“The concept of 'shift-left' likely means different things to different people,” said Crowther. “But to me, it means working within the developers' workflow.”
“Any security measures you impose on a developer will cause friction, so we must strike a balance between speed and security,” he said. “It's not one-size-fits-all because different organizations have different priorities. If your engineers are comfortable and confident with security, you can dial your DevSecOps to ten. If you have junior developers who are not so knowledgeable in the security domain, you need to dial it down and find out what works for your organization.”
Developer culture
“Can we trust developers to handle security?” asked Crowther. “We're going to have to — there are a hundred developers to every security professional at most companies. Security teams don't have the scale or resources to do this. So it makes sense to expect developers to do it themselves.”
“The biggest lesson I have learned is an appreciation for developer culture,” said Singam. “Working with them, listening to them, and learning to think like them.”
Culture versus tools
The discussion concluded with the participants discussing the importance of culture and the percentage of culture versus tools within DevSecOps.
Interestingly, no one ranked tools higher than 50%, and one participant gave culture a 90% score versus 10% for tools. Clearly, for DevSecOps professionals, culture is an important criterion.
This article is the third in a series on effective collaboration techniques for cybersecurity.
Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IOT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].
Image credit: iStockphoto/Makhbubakhon Ismatova
