Development Operations (DevOps) processes, which offer agility and scale, are becoming more popular with developers who are increasingly utilizing digital products and services, such as data analytics, mobile, and cloud. This shift also impacts organizational cybersecurity, forcing CISOs to move their security and IT approach to a shared responsibility.
Steve Martino, Cisco’s leader of Information Security (InfoSec), discussed the new workflow that must accompany a shift to DevSecOps – combining DevOps with InfoSec – in a recent blog. He shared four tips for starting a DevSecOps initiative:
Establish the foundation. It’s important to set a standard of accountability and high standards. “Using clearly defined guiding principles to drive security throughout the development process helps establish mutual trust among the engineering, operations, and security teams,” he said.
Prove it out first. “Start by defining what your guardrails should be in the context of what platform you’ll use. For example, our first target environment was built on Amazon Web Services (AWS), so we defined 10 guardrails for our AWS accounts that fit our specific requirements. Then, conduct a hack-a-thon as you would for other Agile development efforts. Post-test readouts help the entire team be knowledgeable and support users in DevOps fashion.”
Automate Your Guardrails. Developing an easy way for your team to apply guardrails, such as the time it takes to open a new account, will make the workflow better. “This likely will require coordination among multiple teams – InfoSec, IT, Supply Chain, Procurement and possibly others,” Martino said.
Continuously Validate. “As new resources are on-boarded or other changes occur, keep guardrails up-to-date with constant security validation and real-time monitoring of security logs,” he said. Creating security “health reports” is a good way to share information in a timely manner with multiple teams. Interested in learning more about DevSecOps and security? Click here.