SecDevOps: A People-Centric Approach to Secure Software
The world of enterprise and government software is changing. DevOps is supercharging the software design, development and deployment process, leading to faster releases, and more consistent, reliable implementations.
Now, Leidos is ensuring that security stays top-of-mind in the software development process by putting it first in this equation. To demonstrate that, instead of calling our development lifecycle DevSecOps we call it Secure DevOps (SecDevOps).
As originally conceived, DevOps emerged as a way to unite two opposing mindsets in software development. Developers were traditionally the 'go-go' group, advocating for new features and benefits in software. Systems administrators were the 'no-no' group on the other side of the equation, cautious of changes that might disrupt system reliability. Security professionals felt the same caution over the introduction of new vulnerabilities.
SecDevOps unites security, development and operations so that they work together towards a common goal by making enhancements in three areas:
- People. It combines developers and operations staff into teams with shared skills and common goals.
- Process. It formalizes the development and deployment process into a standard pipeline with clearly defined responsibilities. Developers configure infrastructure directly in code, and are often responsible for sustaining the virtual infrastructure in which their applications run. Operators provide the underlying hardware and storage services to support developers' goals.
- Tooling. SecDevOps pipelines rely on common tools that automate these underlying processes for consistency, accountability and efficiency. For the first time, all stakeholders can view and contribute to the same development and deployment records. There is a single source of truth for the SecDevOps team. Along with the enhanced processes, this creates a platform for continuous integration, in which developers quickly merge changes into a single branch that is then automatically tested. This leads to faster software releases with lower error rates.
Shining a light on security
Successful SecDevOps teams have perfected this transition to a well-oiled development and deployment pipeline that automatically checks software and virtual infrastructure for reliability, quality, compliance and security before allowing for final deployment. This has created room for another participant to sit in the middle of that process: security.
Developers releasing features at breakneck speed can introduce new attack vectors, so security professionals traditionally staked their ground in the 'no-no' camp. Security staff wanted to protect systems from harm and would be cautious about new changes.
SecDevOps teams use their unified approach to integrate security personnel, processes , cultures, and a common set of tools seamlessly into the software deployment pipeline. Security skills, processes, and tools become an explicitly defined part of the mix.
In a SecDevOps team, security processes and tools are a resource for developers and operations staff. For example, developers configuring infrastructure for their applications would have access to a set of standard, security-scanned and approved templates from which to generate new virtual server images. These hardened server builds would reduce the possibility of developers accidentally introducing security vulnerabilities.
Other security measures that SecDevOps teams can introduce into development pipelines include test automation. The team can implement tools and processes to support security unit testing and even threat modeling, where the software build is automatically tested for different threat vectors ranging from spoofing through to privilege elevation.
Putting people first
Processes and tools can empower a team to produce more secure code and deployments, but managers must not underestimate the human side of SecDevOps. They must consider how teams relate to each other, and how members collaborate.
Overcoming cultural divisions will be a big factor here. All stakeholders in a team will be used to working in a certain way, and with a degree of autonomy. Empowering them to work harmoniously together will involve a mixture of training and incentives. Managers must make each team jointly responsible for the full lifecycle of the product and must incentivize them using the appropriate metrics.
These metrics could range from technical ones such as release cadence and the number and severity of reported bugs, through to key performance indicators that reflect business goals. Agile managers may change how these metrics relate to service level agreements over time as the organization's needs change.
SecDevOps teams that align and incentivize their team members correctly can empower them to leave past agendas behind and walk in lockstep as they pursue a new, common goal. They will be able to deploy reliable software along consistent security rails that help rather than hinder development teams in their journey to design feature-rich software.
For more information about how Leidos is empowering SecDevOps teams, download our SecDevOps factsheet.