With developers and security teams pushing themselves for quicker production times, higher velocity and increased cost savings, I’ve found that one way to achieve all of these objectives is by creating a DevSecOps culture in your organization. If you’re currently viewing security as individual, one-off issues or in a reactive fashion, you’re putting your system at serious risk for an attack – with huge cost implications. And while some companies see developers and security as teams who operate best when they’re working separately, many have discovered that integrating AppSec into DevOps will actually improve their performance at every level.
Here’s how to get started:
Overcome resistance to change
I’ve found that “not wanting to change” is usually the biggest reason organizations are hesitant to integrate DevSecOps. Change takes time and effort. Developers and security must work together, and there tends to be a learning curve on both sides. Developers need to learn how vulnerabilities are introduced into the development process, and the security team needs to understand coding to provide examples (e.g. input sanitization, parameterized SQL inquiries). Be aware of the time this takes, but be assured that it’s worth it.
Foster a culture of openness
DevSecOps is a true cultural shift dependent on communication, and you’ll be selling the concept short if you look at it any other way. By having an open flow of communication between your development and security teams, you’re promoting a culture of collaboration and continuous learning which is necessary when integrating functional areas. One helpful tip is to develop use and abuse cases. These provide illustrative models of not only how an application can be appropriately used, but also where ‘bad actors’ can exploit the application.
Make security your default setting
With more high-profile security breaches than ever, sustainable security needs to be top of mind. After all, a crucial part of DevSecOps culture is having security integrated within all DevOps practices. Conduct regular scans, risk assessments, and penetration tests, and don’t forget: the majority of successful cyber attacks happen due to human error.
Encourage developers to become security-aware
Once developers see how vulnerabilities can be exploited in real time, it’s very easy for them to understand the importance of application security. I’ve seen this many times when working with developers; once you sit down with them and start performing a penetration test, or demonstrate concepts like cross site scripting, SQL injection, or command injection, they understand the implications and want to produce secure code. Sometimes it just takes a little collaboration with the security team to help accomplish this.
Once security is integrated into DevOps you’ll see the time-to-production speed up. Having security as part of the development process reduces the need for additional penetration testing, as well as dynamic and static analyses to ensure the security of the application. With DevSecOps, it’s easier to spot vulnerabilities much earlier, so you can avoid costly delays.
Having an integrated team means developers can write secure code from the beginning, and the security team can spend more time on key initiatives like vulnerability management and endpoint security. Achieving a fundamental shift in your DevOps approach can seem overwhelming, but by integrating AppSec, and therefore prioritizing collaboration and openness, you’ll soon be reaping the benefits that accompany a DevSecOps culture.
About the Author:
Joe Sullivan is a principal consultant at Sparq in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute.
Analysis Paralysis in AI Adoption
Learn why endless discussions and the relentless pursuit of flawless data are actually costing you valuable time, insights, and competitive advantage – just like it did for giants like Kodak and Blockbuster.
Don’t Take Product Out of the Equation: How to Nail Your AI Implementation
AI isn't just about the technology, it's about solving real problems and delivering real value. One way to do that is to keep product at the forefront during your AI implementation. Learn more about why having a product-first mindset is so important in this article by Principal Product Strategist Heather Harris.
Navigating AI in Banking and Financial Services: A Risk-Based Rebellion for Leaders
Every shiny AI use case in regulated industries has a shadow: governance, compliance, model risk, ethics, bias, explainability, cyberattack vectors and more. It's not that organizations and leaders don’t want AI, it’s that they’re paralyzed by the political, regulatory, and operational realities of deploying it. Sparq's Chief Technology Officer Derek Perry and VP, BFSI Industry Leader Rob Murray argue we need to change that. Check out this article to learn how to actually ship production AI use cases in regulated environments.
Five Important Questions to Ask Before Starting Your AI Implementation
Creating a lasting impact with AI requires more than just technical output. In this article by Principal Product Strategist Heather Harris, learn five questions to ask before starting an AI implementation so it can deliver long-term business value.