KubeCon Coverage: Incentivizing the DevSecOps Culture
Limited Time Offer!
For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!
Source:-https://devops.com
Cyberattacks are on the rise in the era of COVID-19 and cybersecurity has become paramount to arm business-critical applications. Furthermore, new regulations have emerged to protect personally identifiable information (PII). A new cybersecurity awareness feels quite apparent throughout the tech spectrum. As a result, security policies are poised to integrate more directly within the process of engineering and deploying applications.
Nonetheless, while DevSecOps feels necessary to implement at this critical hour, it does present challenges. Primarily of which is a significant cultural shift. Uniting security and development isnât as easy as it sounds, especially when faced with rigid enterprise bureaucracy. Plus, how can an organization incentivize DevSecOps if developers fear security tools will slow down their workflows?
The DevSecOps panel at the recent KubeCon + CloudNativeCon North America 2020 brought together leaders in the DevSecOps arena to advise introducing a security-first mindset to DevOps. Dan Papandrea, field chief technologist at Sysdig, led this super-informative panel. It featured:
Emily Fox, DevOps Security Lead, NSA
Peter Bosch, Cisco
Sunil James, HPE
Christian Weichel, Gitpod
Nicolas Chaillan, U.S. Air Force
Below, Iâll cover some of the key insights garnered from the event. To summarize, the panel identified how policy-first tools and open source initiatives are placing security controls within IDEs and CI/CD pipelines. And what will it take to get everyone onboard? It appears that transparent tooling automation, making security adherence natural and a new wave of security-aware employees will be critical components in the future era of DevSecOps.
What is DevSecOps?
First off, to get a better picture, what exactly is DevSecOps? And why has it come about?
In a previous article, we defined DevSecOps with six traits: security automation, security culture, de-siloing IT, shifting security left and security as an enabler (not a stalling force).
The KubeCon panelists seemed to echo all of these points. Fox described DevSecOps as âa term used by organizations to ensure their DevOps approaches have a security-first mentality.â To her, this means placing security automation within workload environments.
DevSecOps is something new. For most organizations, security isnât baked into the standard development processesâit historically hasnât been the first priority, Chaillan said. DevSecOps is changing that, adding continuous monitoring, zero trust enforcement and reducing the overall attack surface.
The move toward continuous release is also an impetus for DevSecOps. âOur cadence of delivery has been quickened,â said James. All organizations now feel pressure to deliver value to customers rapidly. An interesting byproduct of building security-first, he said, is âthe ability to create the consistency and speed with which you can actually offer these capabilities.â
Another cause for DevSecOps is the sheer imbalance in the workforce. On average, the number of developers far outweigh the number of security folks, noted Bosch. So, DevSecOps could scale security across an organization more effectively than human power could.
Bosch also is hopeful DevSecOps could put an end to time-consuming bureaucracies stalling an agile security process. âDevelopers used to write code and wait for free months to open a firewall.â This may have been standard operating procedure decades ago, but in the age of continuous everything, enterprises must evolve how they handle IT security policies. âBy uniting security with developers, we bring speed, robustness, avoid OWASP issues, and build applications that better contribute to the bottom line,â he said.
Finally, embracing DevSecOps is a significant commitment. The combination of culture and technology is essential, noted Weichel. As we infuse security testing into CI/CD pipelines and make everything security-first, he said, we indeed undergo a cultural shiftâitâs something that permeates everything.
Challenges in Implementation
Companies attempting to introduce DevSecOps may run into a few challenges, including instilling the culture, implementing regulatory compliance and finding the right blend of open source and propriety tools to get the job done.
Bosh is no stranger to sluggish enterprises and the systemic change required to introduce DevSecOps. In these environments, changing companywide antiquated processes may require executive sponsorship. âBy and large, itâs mostly culture,â he said, yet acknowledged a vast divide between the two groups: âHow do you convince security do get out of their comfort zone? And how do you convince developers to get out of theirs?â
There is also developer experience to consider: Developers often view security tools as limiting their ability to deliver code quickly. Perhaps the biggest challenge to overcome is improving the experience of working alongside new security policies. If new practices are causing more pain, instead of automating pain points away, DevSecOps could suffer.
Outside of team dynamics, there are also technical hurdles involved when introducing and enforcing legal regulatory requirements. âGetting any sort of compliance baked into CI/CD pipelines is a challenge,â said Fox. Part of the problem is that the tooling to enforce such requirements isnât there yet. âCloud-native is continually evolving and security is constantly playing catch up,â she noted. âItâs an ongoing challenge.â
Incentivizing the DevSecOps Culture
Employees need incentives to change established habits. With the above challenges in mind, how can organizations create incentives to adopt DevSecOps? Well, outside of monetary incentives or straight up demanding it, incentivizing that security culture could happen in a few different ways, the panelists noted.
To Fox, itâs about âmaking security transparent to the developers.â You want developers to quickly build and deploy secure applications without the need for intensive cybersecurity training. Thus, the tools and processes must be as transparent and usable as possible. DevSecOps is possible âif you make it second nature,â she said.
Another way to consider DevSecOps culture is the end performance. If customers are happy, this is a positive gauge. James said he has witnessed CIOs at a few organizations using customer satisfaction scores as a guiding light for not only the business but for security effectiveness well.
Bosch similarly stressed an indirect incentive about overall company performance. âCompanies that really embrace DevSecOps leads to better code,â said Bosch. This leads to more robustness, higher speed, and better-operating enterprises. Co-building a thriving success could be ample incentive alone for those who have the whole team in mind.