DevOps is not a buzzword anymore. Every organisation is working towards achieving a successful DevOps practice. Organisations are adopting Agile and over the years, while checking the DevOps practice of clients, I have realised DevOps practices are not the same in two organisations. Every organisation has their way of working towards adopting the practices.
Organisations are facing challenges with the breaches that are happening every other day. Security can pose severe challenges if not handled with care. We have seen big breaches happening when there are gaps in the software security. In 2017, Equifax was breached and PII data of millions of people was stolen where attackers leveraged a known Apache Struts vulnerability that wasn’t patched intime. By looking at these vulnerabilities, there is one thing which is evident that security in DevOps or DevSecOps is not just tooling but People, Process and Technology together with culture complementing it. Only technical shifts cannot give an organisation the kind of secure product they want. On top of this, DevSecOps practices are not like ticking a checkbox on the list, if the team doesn’t have a security mindset whatever anyone does, achieving the goal of having a secured platform is next to impossible.
First and foremost, it is important to remember that we can’t blame developers for every single issue. That’s all too common and all too easy.
“Ops needs to trust Dev to involve them on the feature discussion
Dev Needs to trust Ops to discuss infrastructure changes”
DevSecOps is where everyone has a say from Dev to Ops to Security to leadership.
We can have the best tools money can buy, can have the best of teams, but DevSecOps will not work if tools, technology and teams do not work together. Not all tools are DevSecOps ready, not all tools can fit into the pipeline. Security has to be tightly coupled with developer friendly tools like Jenkins, JIRA, and other frequently used DevOps tools. Automation is another aspect that helps drive a DevSecOps culture, by fine tuning the tools, so they don’t waste anyone’s time.
Organisations might face multiple challenges when adopting DevSecOps, where one of the biggest challenges is to get buy-in from the stakeholders. Getting everyone involved and on the same page. The problem can be resolved by putting the information on the table. A successful program starts with the people & culture. We can build security champions in each team so they can help when needed. For example: on one of my past projects in the beginning, security teams were never invited on the scrum meets and it took sometime to be on the same page.
Attaining maturity level is something which should be imperative in an organisation. Upon attaining a maturity level, we can Insist that the build breaks for a high severity security vulnerability.
As outlined above, the need is to have the DevSecOps practices and it is not just about tools. Cultural change is a much bigger component in the DevSecOps process.