FEATURE
Businesses need
to have the right
processes in
place to identify
the ways to apply
security without
compromising agility.
but also enables security assessments of
that output to be more focused.
What is driving the need for a
DevSecOps approach?
Software security is an attribute
of software development which
recognises that external threats are as
important to product success as any
defect analysis might be. With agile
development practices at the core of
DevOps, DevSecOps seeks to provide
contextually relevant security reviews
in an automated fashion based on the
nature of the features being created.
The security results are then presented
to the developers as they are creating
their features which provides feedback
at a point when the developer is thinking
about the feature, not several weeks or
months later as might be the case in
traditional development streams.
What challenges do
organisations seeking to
adopt this approach face?
The single biggest challenge facing
those adopting DevSecOps is context.
Developers don’t want more work
and don’t want to sift through lengthy
reports in an effort to discover a relevant
security defect. Since DevOps is about
people and process, creating a security
process which works for an organisation
requires that the Dev and Ops teams be
directly involved in defining the security
process for their teams.
38
How can these challenges
be addressed?
Successful security practices are those
which improve the overall product or
service with a minimum amount of
friction. That is to say, if the pain of
adopting the new security process is
significant then any KPIs associated
with the initiative will be difficult
to meet. Solving for this requires
engagement with the development
teams who will be on the receiving end
of any security issues being identified.
Through collaboration, any people or
process issues can be identified and
compensated for at the outset rather
than mid-stream.
How should this strategy
be implemented?
When any new security tooling is
introduced, it will inevitably find a series
of issues which were hidden. Those
DevSecOps seeks to
provide contextually
relevant security
reviews in an
automated fashion.
issues will need to be triaged and tasks
created to best address them. Some
organisations may wish to resolve all
issues before moving on to new work,
while others may prefer a known status
quo but require that new work be free
from security defects. Both models
are equally workable and the correct
model will be team and product specific.
Determining the correct solution requires
that all stakeholders are part of the
process defining both the workflow and
any KPIs. Effectively, the team should
Issue 22
|
www.intelligentciso.com