One of the most distinctive traits of DevOps is agility. The development cycle is not only fast, but also divided into multiple components that are constantly updated. At runtime, constant updates and at times episodic workloads, challenge the security of any environment.
In an attempt to understand the state of container security adoption, we at Aqua Security recently published a survey conducted among 512 DevOps and security professionals. Currently only 13% report they have a DevSecOps team who own container security, but 28% think that DevSecOps should own the responsibility moving forward.
If security controls and methods are ever to catch up with the speed of DevOps pipelines, security pros need to buy into DevOps’ philosophy of teamwork, coordination, agility and shared responsibility. DevSecOps is all about collaboration. It's a shared company objective to bridge the gap between security teams and developers and DevOps teams to ensure a smooth and secured development and deployment process.
Analysts at Gartner have created an excellent outline talking about the inclusion of security within a DevOps framework. The agile framework, however, requires security and risk management leaders to change mindsets, processes and technology - adapting security testing tools and processes to the developers - not the other way around.
To get us all more familiarized with DevSecOps principles, we’ve compiled this is of resources to follow:
1 - One of the fundamental building blocks of DevSecOps is to make sure your developers write secure code. This whitepaper by SANS Institute, entitled “The DevSecOps Approach to Securing Your Code and Your Cloud” gives great advice on the subject. The paper also looks at how to build tighter collaboration between security, development, and IT operations to ultimately implement DevSecOps.
2 - Great overview talk by Scott Paddock, Security Solutions Architect at AWS. This talk from AWS re:Invent 2016 is focused on HIPAA and healthcare, but it offers many practical ideas and guidelines that can be used by any organization. There is also a very useful piece on the ‘DevOps Toolchain’.
3 - A talk from DevOps Connect at RSA 2016 by Shannon Lietz of Intuit, offering practical insight and advice on implementing DevSecOps within an enterprise. It covers 7 baseline principles to achieve successful DevSecOps.
4 - Slides from Franklin Mosley DevSecOps practitioner and thought leader. Some interesting statistics and answers to questions posed, such as “What benefits have you seen...from implementing DevOps?” Within Mosley’s Slideshare repository, check out some of the other useful presentations, such as the DevSecOps slides on “Free pentesters' time to focus on high-hanging fruits”
5 - A whitepaper by Checkmarx, “Adding the ‘Sec’ to DevOps” which looks at the principles of DevSecOps, including how to adopt ideas like the testing paradigm of ‘shifting left’.
6 - In the spirit of bringing bridging the gap, our Solution Architect Tzvi Korren held a talk at MesosCon this year entitled “What Security People Want: Making DevSecOps Happen with Containers”. He introduced a breakdown of how security professionals view container security and what they see as vital for success.
7 - A Roundtable discussion video from the OWASP AppSec EU conference 2017. The panel discusses the current state of DevSecOps, with insights from some of the world's experts in the field.
8 - Zane Lackey of Etsy spoke at OWASP AppSec USA 2015 about his experience building a security team at Etsy and the lessons he learned from doing so. Zane talks about continuous deployment techniques and the methodology behind effective DevSecOps.
9 - Featuring on the informative podcast targeted at professional software developers- Software Engineering Radio, Francois Raynaud, Founder/Director at DevSecCon Limited speaks about how to easily apply DevOps principles to security, and how doing so helps improve the relationship between security and development teams.
10 - Laksh Raghavan of PayPal, shows how the company integrated security into DevOps. Laksh is very widely experienced in information security across the enterprise. As well as working with PayPal, he has also worked with Fortune 500 companies across the world. Check out more of Laksh’s ideas and authored books, on his blog.
The DevSecOps space is relatively new and yet full of excellent resources. These folks have ‘been there, and done that’. Using their wisdom could ensure you get things done right when implementing DevSecOps in your organization.
