Application security

Successful DevSecOps begins with a cultural shift

Jason McAllister

Senior Consultant, Cloud Solutions Engineering, Coalfire

Blog Images 2022 07 01 Tile

A successful DevSecOps approach fosters cohesive collaboration between Development, Security, and Operations teams for the cultivation of outcomes that improve security while also maintaining the goals of DevOps. Within DevSecOps, security is an additional foundational component in the process toward improving delivery outcomes. Furthermore, security is introduced as an integral and continuous component of the application lifecycle. With DevSecOps, the role of and emphasis on security occur much earlier in the lifecycle with a goal of producing better protected and perhaps more resilient applications. 

There are necessary components to build a successful DevSecOps methodology and cultural transformation is where it begins. Organizational change will support a progression from conventional siloed departments into cohesive highly functioning teams. Several crucial elements that support organizational movement toward a DevSecOps culture include:

  • A healthy understanding of the organizational impacts of a DevSecOps initiative
  • Defining and executing appropriate actions toward instituting desired change
  • Defining value-driven cultural expectations
  • Transformational leadership

Defining Value-driven cultural expectations

Clear cultural expectations are part of a framework to guide successful outcomes for a DevSecOps approach. When incorporating security into DevOps, the following cultural expectations should be key considerations for all team members: 

  • Security by design – Team members work together from the beginning to address security challenges relative to architecture and design decisions.
  • Test-driven security – Integrate CI/CD or Dev pipeline security testing against defined security policies ahead of delivery or deployment.
  • Security team responsibilities – Security team members are actively and continuously involved in writing functional security tests that document and clarify security expectations. Security teams provide transparent insights, guidance, recommendations, and direction to other team members on security standards, applicable threat landscape, risks, common vulnerabilities, security and compliance standards, and secure coding methods.
  • Shift-left security engagement – Security team members are involved from the start of an initiative, rather than at a fixed point in the project. Security is engaged with supporting issue resolution from issue verification (code reviews, threat modeling, and red teaming) to identifying mitigation and remediation options.
  • Unit-testable security requirements – Security team members will define and codify controls down to small, specific, unit-testable modules so that adherence to security standards are repeatable and consistent.
  • Reusable – Reusability of tests across multiple products.
  • Shared responsibility – Security is a shared responsibility of every team member.
  • Fail early and correct early – Missing integrated security controls or requirements are detected early and fast. This allows developers to fix issues as part of daily development activities instead of retroactive corrections.
  • Empowering processes – Processes are developed to empower team members to make sound security decisions that align with the organization’s compliance objectives.

Counting the cost

A center of excellence model can be used to incorporate people, processes, and technology from development, security, and operations teams. Use of the model channels their combined energies toward a common goal. Center of excellence team members collaborate and learn from shared knowledge, experience, and expertise toward agreed-upon outcomes.

To build the center of excellence model, it is important to first understand the impact the proposed change will have on the organization. The degree of change is the extent to which the shift to DevSecOps and its resulting implications will impact the involved stakeholder group’s people, processes, and technology. Analyzing and qualifying this impact helps the organization determine the appropriate action(s) for addressing the desired cultural shift to DevSecOps. 
Actions an organization can take include:

  • Modifying, extending, and/or establishing job titles
  • Realigning, consolidating, and/or defining job functions
  • Identification, alignment, and application of skills requirements
  • Process modification and/or adoption 
  • Refactoring and/or extension of existing technologies
  • Adoption and integration of new technologies
  • Identify leadership’s involvement level in communicating, advocating, and motivating change
  • Define the modes and frequency of organization communication necessary to socialize change
  • Defining the learning and skills building requirements necessary to sustain the change 

Leading the way

The organization’s leadership must be actively involved in fostering a DevSecOps culture by:

  • Establishing and communicating the vision and strategy to the organization as a whole.
  • Inspiring and motivating the organization toward organizational change. 
  • Enabling socialization of cultural change through effective communication and collaboration platforms. 
  • Ensuring availability of funding to promote continuousness of security throughout the lifecycle. 
  • Keeping a finger on the pulse of DevSecOps initiatives in order to make timely and necessary adjustments toward successful outcomes and/or to celebrate organizational successes.

Find balance and celebrate successes

Building a successful DevSecOps program with cohesive, highly functioning teams is an iterative process.  Much like the methodology it advocates, cultural development and integration requires continuous adjustments along the way to strike the right balance toward supporting organizational goals and objectives. Understanding the cost and defining actions relative to organizational impacts, establishing a center of excellence that fosters inclusion and cohesion, leadership advocacy, and defining cultural expectations should all be beneficial toward a successful DevSecOps initiative.