SecAdvent
DevOps with a Spice of Culture – SecAdvent Day 23
December 23, 2020
DevOps is not a buzzword anymore. Every organisation is working towards achieving a successful DevOps practice. Organisations are adopting Agile and over the years, while checking the DevOps practice of clients, I have realised DevOps practices are not the same in two organisations. Every organisation has their way of working towards adopting the practices.
Organisations are facing challenges with the breaches that are happening every other day. Security can pose severe challenges if not handled with care. We have seen big breaches happening when there are gaps in the software security. In 2017, Equifax was breached and PII data of millions of people was stolen where attackers leveraged a known Apache Struts vulnerability that wasn’t patched intime. By looking at these vulnerabilities, there is one thing which is evident that security in DevOps or DevSecOps is not just tooling but People, Process and Technology together with culture complementing it. Only technical shifts cannot give an organisation the kind of secure product they want. On top of this, DevSecOps practices are not like ticking a checkbox on the list, if the team doesn’t have a security mindset whatever anyone does, achieving the goal of having a secured platform is next to impossible.
First and foremost, it is important to remember that we can’t blame developers for every single issue. That’s all too common and all too easy.
Ops needs to trust Dev to involve them on the feature discussion
Dev Needs to trust Ops to discuss infrastructure changes
DEVSECOPS IS WHERE EVERYONE HAS A SAY FROM DEV TO OPS TO SECURITY TO LEADERSHIP.
We can have the best tools money can buy, can have the best of teams, but DevSecOps will not work if tools, technology and teams do not work together. Not all tools are DevSecOps ready, not all tools can fit into the pipeline. Security has to be tightly coupled with developer friendly tools like Jenkins, JIRA, and other frequently used DevOps tools. Automation is another aspect that helps drive a DevSecOps culture, by fine tuning the tools, so they don’t waste anyone’s time.
Organisations might face multiple challenges when adopting DevSecOps, where one of the biggest challenges is to get buy-in from the stakeholders. Getting everyone involved and on the same page. The problem can be resolved by putting the information on the table. A successful program starts with the people & culture. We can build security champions in each team so they can help when needed. For example: on one of my past projects in the beginning, security teams were never invited on the scrum meets and it took sometime to be on the same page.
Attaining maturity level is something which should be imperative in an organisation. Upon attaining a maturity level, we can Insist that the build breaks for a high severity security vulnerability.
As outlined above, the need is to have the DevSecOps practices and it is not just about tools. Cultural change is a much bigger component in the DevSecOps process.
About Vandana Verma
Vandana is a seasoned security professional with experience ranging from application security to infrastructure and now dealing with DevSecOps. She has been Keynote speaker / Speaker / Trainer at various public events ranging from Global OWASP AppSec events to BlackHat events to regional events like BSides events in India. She is part of the OWASP Global board of directors. She also works in various communities towards diversity initiatives InfosecGirls, WoSec and null.
She has been recipient of multiple prestigious awards like Cyber Security Woman of the Year Award 2020 by Cyber Sec Awards, Global cybersecurity influencer among IFSEC Global’s “Top Influencers inSecurity and Fire” Category for 2019, Cybersecurity Women of the year award by Women Cyberjutsu Society in the Category “Secure Coder”. She has also been listed as one of the top women leaders in this field of technology and cybersecurity in India by Instasafe.
