The DevOps movement has been pivotal in revitalizing the entire application development and maintenance processes, resulting in faster build cycles, tighter coupling of objectives and outcomes, and many other efficiencies. DevSecOps builds on the success of DevOps by combining security into the DevOps process. Security issues can become a nightmare for development teams and their customers, but successful DevSecOps teams have consistently reduced bugs and vulnerabilities in production code while reducing the amount of time spent in reactive security processes.
Implementing DevSecOps is not without its challenges. As with most changes, there will be some resistance in adding security to existing well-functioning teams. The art is in managing that change properly to avoid contention and achieve cohesion.
I had the pleasure of speaking with Vishnu Nallani Chekravarthula, Vice President and head of innovation at Qentelli to get his perspective on this challenge.
Eric: Which strategy works best to promote security in DevSecOps teams as a value add rather than a bottleneck?
Vishnu: One primary reason security is felt to be a bottleneck than a value add is because of how late a security audit is performed in the engineering lifecycle. The focus has to be the integration of security into the entire development workflow. Automating security early and having secure coding guidelines set up as part of the DevSecOps pipeline is key to successful implementation.
Eric: How do you build that feeling of pride in DevSecOps teams?
Vishnu: All key stakeholders should have a firm understanding of how important application security is to the success of the business. Business leaders can play a major role in communicating the importance of application security to their engineering teams. As with any successful DevOps implementation, communication and collaboration will bring the feeling of accountability and pride to DevSecOps teams.
Eric: How can the cloud be leveraged to improve DevSecOps?
Vishnu: Many security scanning tools provide a cloud-based solution to automate security scans as part of the pipeline with low to no maintenance for the infrastructure and operations teams. Also, organizations leveraging cloud for their application deployments, can create a cloud infrastructure that adheres to the security guidelines of the organization, and leverage the tools provided by the cloud providers to audit the infrastructure for security issues continuously.
Eric: How do you keep teams agile, as they grow larger with the influx security people?
Vishnu: The secret lies in being proactive rather than being reactive to security. The key to keeping teams agile is to automate the security scans and related tests to help free up time from developer and security team members. Also, setting up secure coding guidelines and adhering to them will help teams spend more time later fixing the issues. Operations can leverage AI-based tools to identify and notify on issues before they occur.
Eric: What are some of the key attributes of highly cohesive DevSecOps team members?
Vishnu: The principal attribute is reinforcing that security is everyone’s responsibility and a business-critical need. This will lead teams to work together proactively to identify and plug gaps than taking a throw-over the wall approach, thus helping team members to collaborate better for team success.
Eric: What are the three most important leadership skills that promote DevSecOps team cohesion?
Vishnu: As stated earlier, leadership should show by example that security is the utmost priority for the team, and remind the team members from time to time that it is critical to take a Security-first approach to engineering activities for business success. This involves tracking data related to application security, then making infrastructure and design decisions based on the data. This is an important DevSecOps process.
Eric: How do you handle missed objectives?
Vishnu: As the saying goes, “you cannot improve what you cannot track.” DevSecOps teams have to track data related to application security from the early stages of engineering lifecycle to ensure they can take proactive actions. The best way to handle missed objectives is to take an incremental approach than taking a big-bang approach and prioritize activities that fill the gaps for most common security challenges.
Eric: Are there technologies or tools that improve cohesion in DevSecOps teams?
Vishnu: Tools that help DevSecOps teams automate the security tests, as well as AI/ML-based tools that help teams at different stages in DevSecOps pipeline, will help improve the cohesion between the teams, as they can work together on identifying areas for improvement, while the tools handle the repetitive activities.
Eric: How does the working environment, such as open or closed spaces, working from home, or flexible schedules?
Vishnu: Collaboration and communication is the key. Any support the organization can provide in improving the environment of collaboration always enhances implementation success. Open spaces definitely help enhance the communication and collaboration between teams, based on what we have seen in many enterprises we worked with. Use of collaboration tools such as Slack or Microsoft teams also enables distributed teams to work better together and be part of the DevSecOps success.
Eric: How do you establish effective communication between team members?
Vishnu: Apart from the regular cadence between team members, effective use of communication tools such as Slack or Teams helps in more frequent and effective communications between groups of people.
Eric: What role does automation play in DevSecOps security?
Vishnu: As discussed above, automation is the key to achieving DevSecOps and making security part of the engineering lifecycle. Automation should be applied to static and dynamic security scans to increase coverage and reduce the time from vulnerability identification to remediation.
Eric: Which metrics are most important for DevSecOps project management?
Vishnu: Some of the most important metrics to track for DevSecOps project management, as well as for proactive decision-making, include critical risk profiling; SLA performance; top vulnerabilities; number of adversaries per application; and adversary return rate.
Eric: How do you build trust in DevSecOps teams?
Vishnu: The best way to build trust is to listen and understand the challenges of different stakeholders, and implementing practices that do not add additional woes for the teams when taking Security seriously. Policies must be designed with the challenges of developers and operation teams in mind for easier adoption and implementation of practices, enabling security team members to integrate better and quicker to form the DevSecOps team.
Eric: How is AI enhancing DevSecOps and how will it continue to enhance it in the future?
Vishnu: As mentioned earlier, AI will help DevSecOps teams to be proactive than being reactive. AI helps identify issues before they occur and this is of immense value, especially for the operations folks. As more data is being gathered, organizations are creating algorithms that can improve application security by identifying the most common coding patterns and identifying or fixing the vulnerabilities.
Thanks for talking with me, Vishnu. It is clear that DevSecOps is where companies need to be, especially if they already have DevOps in place. The operational and security benefits of this will only continue to increase.