This article is a translation of the recent Tech Rocks post on “DevSecOps practices” published on April 18, 2023, in french, on the Tech.Rocks website.
In an era of shorter software development cycles and increased risks of vulnerabilities, integrating cybersecurity into development processes is crucial. This article proposes a pragmatic approach to raising awareness, addressing concerns, and implementing a customized security program within your company.
What is the definition of DevSecOps (Development, Security, Operations)?
Based on Gartner’s definition, we can say that DevSecOps is the integration of security into the different phases of development as well as operations in the most transparent way possible. Ideally, this is done without reducing the agility or speed of developers, or forcing them to leave their development environment.
Why adopt a DevSecOps approach?
To keep up with the fast-paced evolution of the technological landscape and increased risks, it is essential to integrate security into development and operations processes. This holistic approach not only improves the quality, efficiency, and profitability of your applications but also ensures their resilience against threats.
How to empower your teams pragmatically?
You can hold development, operations, and security teams accountable for the products they deploy in production by providing them with practical training, processes, and tools. Security champions, the company’s security manager, and influential sponsors such as the CEO and CTO can lead and support this program. In the case of a company without a dedicated security team or person, it may be worth training and adding this role to a member of the technical team.
How to implement a Security Champions program?
Security champions are members of the development or operations team with an interest in cybersecurity. To recruit security champions within your company, launch internal communication campaigns and organize informative conferences and presentations. Once identified, integrate these champions into a community dedicated to addressing security challenges. Train them in best security practices and tools, and organize regular meetings to discuss challenges and progress. Encourage security champions to share their knowledge with the rest of the team. You can monitor progress using key performance indicators and specific security-related tasks.
How to raise awareness of DevSecOps challenges among your teams?
You can clarify the cybersecurity challenges and provide concrete examples to help teams understand the importance of security in their work. Organize workshops, internal Capture The Flag (CTF) events, or regular meetings to foster trust and collaboration between different teams.
How to integrate cybersecurity into development processes?
The integration of tools and technologies is essential to support the DevSecOps process and improve software security. Here are some key tools and technologies that can be used:
- Build and deployment automation tools such as Jenkins, GitLab CI/CD, and Travis CI, to integrate security controls throughout the development process.
- Configuration management tools such as Terraform, Puppet, Ansible, and Chef to automate deployment processes and ensure configuration compliance.
- Security testing tools such as OWASP ZAP, Burp Suite, and Metasploit, to detect software vulnerabilities.
- Access management tools such as Keycloak, Okta, and Auth0 to ensure the security of authentication and authorization phases of access.
- Monitoring and logging tools such as Prometheus and Loki, to monitor activities and detect security incidents.
The integration of these tools and technologies can help DevSecOps teams implement security controls in an automated manner and ensure software security throughout its lifecycle.
How to involve management in the DevSecOps approach?
Management support is essential to drive the implementation of a DevSecOps approach. Engage managers and leaders in discussions about security and ensure they understand the challenges and benefits of this approach. Management support strengthens the foundation of change and helps identify the most motivated people to become security champions.
In conclusion, adopting a DevSecOps approach is essential to ensure the security and resilience of your applications while navigating increasingly shorter development cycles. By empowering teams, offering pragmatic training, and fostering collaboration between stakeholders, you can seamlessly integrate cybersecurity into your company and protect your data and users.
Contributors to the “DevSecOps Tech.Rocks” working group
- Aroua Biri, working group leader for “DevSecOps” and founder of Frcyber-WeeSec
- Adnan Aita, CTO of Sharelock
- Camille Marsigny, Information Security Manager at Blablacar
- David Peltier, Security Engineer at Decathlon
- Davy Kiala, Lead Developer at CASDEN Banque Populaire
- Jean-Baptiste Beuzelin, Co-founder of Margoo.fr and Coton.dev
- Ludovic Eschard, DevSecOps Team Lead, Orange France
- Clarel Rakotondrahaja, CTO at Sapheer and Director of Strategy and Development at HaiRun Technology
- Stéphane Loesel, Co-founder and CTO of Antidot/Fluid Topics
- Tobias Rohrle, Solutions Engineer, Cloudflare