Achieving cohesion rather than contention in DevSecOps

The DevOps movement has been pivotal in revitalizing the entire application development and maintenance processes, resulting in faster build cycles, tighter coupling of objectives and outcomes, and many other efficiencies. DevSecOps builds on the success of DevOps by combining security into the DevOps process.  Security issues can become a nightmare for development teams and their customers, but successful DevSecOps teams have consistently reduced bugs and vulnerabilities in production code while reducing the amount of time spent in reactive security processes. 

Implementing DevSecOps is not without its challenges. As with most changes, there will be some resistance in adding security to existing well-functioning teams. The art is in managing that change properly to avoid contention and achieve cohesion. 

I had the pleasure of speaking with Vishnu Nallani Chekravarthula, Vice President and head of innovation at Qentelli to get his perspective on this challenge. 

Eric: Which strategy works best to promote security in DevSecOps teams as a value add rather than a bottleneck?

Vishnu: One primary reason security is felt to be a bottleneck than a value add is because of how late a security audit is performed in the engineering lifecycle. The focus has to be the integration of security into the entire development workflow. Automating security early and having secure coding guidelines set up as part of the DevSecOps pipeline is key to successful implementation. 

Eric: How do you build that feeling of pride in DevSecOps teams?

Vishnu: All key stakeholders should have a firm understanding of how important application security is to the success of the business. Business leaders can play a major role in communicating the importance of application security to their engineering teams.  As with any successful DevOps implementation, communication and collaboration will bring the feeling of accountability and pride to DevSecOps teams. 

Eric: How can the cloud be leveraged to improve DevSecOps?

Vishnu: Many security scanning tools provide a cloud-based solution to automate security scans as part of the pipeline with low to no maintenance for the infrastructure and operations teams. Also, organizations leveraging cloud for their application deployments, can create a cloud infrastructure that adheres to the security guidelines of the organization, and leverage the tools provided by the cloud providers to audit the infrastructure for security issues continuously.

Eric: How do you keep teams agile, as they grow larger with the influx security people?

Vishnu: The secret lies in being proactive rather than being reactive to security. The key to keeping teams agile is to automate the security scans and related tests to help free up time from developer and security team members. Also, setting up secure coding guidelines and adhering to them will help teams spend more time later fixing the issues. Operations can leverage AI-based tools to identify and notify on issues before they occur.

Eric: What are some of the key attributes of highly cohesive DevSecOps team members?

Vishnu: The principal attribute is reinforcing that security is everyone’s responsibility and a business-critical need. This will lead teams to work together proactively to identify and plug gaps than taking a throw-over the wall approach, thus helping team members to collaborate better for team success. 

Eric: What are the three most important leadership skills that promote DevSecOps team cohesion?

Vishnu: As stated earlier, leadership should show by example that security is the utmost priority for the team, and remind the team members from time to time that it is critical to take a Security-first approach to engineering activities for business success. This involves tracking data related to application security, then making infrastructure and design decisions based on the data. This is an important DevSecOps process. 

Eric: How do you handle missed objectives?

Vishnu: As the saying goes, “you cannot improve what you cannot track.” DevSecOps teams have to track data related to application security from the early stages of engineering lifecycle to ensure they can take proactive actions. The best way to handle missed objectives is to take an incremental approach than taking a big-bang approach and prioritize activities that fill the gaps for most common security challenges. 

Eric: Are there technologies or tools that improve cohesion in DevSecOps teams?

Vishnu: Tools that help DevSecOps teams automate the security tests, as well as AI/ML-based tools that help teams at different stages in DevSecOps pipeline, will help improve the cohesion between the teams, as they can work together on identifying areas for improvement, while the tools handle the repetitive activities.

Eric: How does the working environment, such as open or closed spaces, working from home, or flexible schedules?

Vishnu: Collaboration and communication is the key. Any support the organization can provide in improving the environment of collaboration always enhances implementation success. Open spaces definitely help enhance the communication and collaboration between teams, based on what we have seen in many enterprises we worked with. Use of collaboration tools such as Slack or Microsoft teams also enables distributed teams to work better together and be part of the DevSecOps success. 

Eric: How do you establish effective communication between team members?

Vishnu: Apart from the regular cadence between team members, effective use of communication tools such as Slack or Teams helps in more frequent and effective communications between groups of people. 

Eric: What role does automation play in DevSecOps security?

Vishnu: As discussed above, automation is the key to achieving DevSecOps and making security part of the engineering lifecycle. Automation should be applied to static and dynamic security scans to increase coverage and reduce the time from vulnerability identification to remediation.

Eric: Which metrics are most important for DevSecOps project management?

Vishnu: Some of the most important metrics to track for DevSecOps project management, as well as for proactive decision-making, include critical risk profiling; SLA performance; top vulnerabilities; number of adversaries per application; and adversary return rate.

Eric: How do you build trust in DevSecOps teams?

Vishnu: The best way to build trust is to listen and understand the challenges of different stakeholders, and implementing practices that do not add additional woes for the teams when taking Security seriously. Policies must be designed with the challenges of developers and operation teams in mind for easier adoption and implementation of practices, enabling security team members to integrate better and quicker to form the DevSecOps team.

Eric: How is AI enhancing DevSecOps and how will it continue to enhance it in the future?

Vishnu: As mentioned earlier, AI will help DevSecOps teams to be proactive than being reactive. AI helps identify issues before they occur and this is of immense value, especially for the operations folks. As more data is being gathered, organizations are creating algorithms that can improve application security by identifying the most common coding patterns and identifying or fixing the vulnerabilities. 

Thanks for talking with me, Vishnu. It is clear that DevSecOps is where companies need to be, especially if they already have DevOps in place. The operational and security benefits of this will only continue to increase. 

Preventing Fraud from Top to Bottom | Information Security Summit 2014

An estimated 5% of annual corporate revenues are lost each year to fraud, represented in part by computer fraud. Protection against this threat requires a strong, proactive and comprehensive, entity-wide set of policies, procedures and controls. Anti-fraud measures should include strong manual and automated controls which are designed, implemented, tested and monitored to prevent and detect fraud on a timely basis. This presentation aims to explain how organizations can integrate anti-fraud initiatives into their daily activities to:

  • Develop a system of manual and automated, preventative and detective anti-fraud internal controls
  • Proactively monitor, identify, assess and manage fraud risks
  • Creating an anti-fraud culture and fraud awareness program
  • Respond to incidents involving fraud

Is staying safe online possible?

I was asked a question on Twitter today. The question was, ÔÇ£Is staying safe online possible?ÔÇØ This is a great question because I increasingly see a sense of apathy in users due to the frequent threats to online safety that are reported. They ask questions such as ÔÇ£If big companies canÔÇÖt protect themselves, what chance do I have?ÔÇØ or ÔÇ£If identify theft is inevitable, what is the point of protecting oneself?ÔÇØ LetÔÇÖs look at the question in an Aristotelian manner. We first must establish what staying safe is. LetÔÇÖs start with this definition:

Being safe online is having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself to harm*

Having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself or others to harm*

 *harm is being described as the following:

  • Unauthorized disclosure of personal or sensitive information
  • Identify theft
  • Misuse of computing resources due to unauthorized access or presence of malicious code
  • Persuasion or coercion to perform actions due to misrepresentation or incorrect facts presented in phishing emails

With this definition in hand, I can now consider whether this is possible. First, this definition means that no harm, as described above, would come to the individual despite the frequency of use as long as they utilized sufficient knowledge, ability and opportunity. I believe this is false. Even those equipped with sufficient knowledge, ability and opportunity will eventually come to some harm in utilizing the Internet and Internet-based resources. So, what if I revise my definition to this?

Being safe online is having the knowledge, ability and opportunity to minimize the harm* and frequency of harm caused due to the use of the Internet and Internet-based resources.

This definition allows for someone to be safe online but still have harm occasionally occur. However, in such occurrences, the damage done would be minimized. For example, if personal information was disclosed, the individual would be able to recognize that disclosure quickly and work with persons and companies to restrict the value the ability of malicious user to employ the information disclosed and to reduce the amount of damage incurred through use. More specifically, if a person entered a username and password in a fake web site, they would realize their mistake and change their password on the legitimate site before an attacker would have the ability to utilize their credentials. They would also utilize different credentials for other sites so the information gained would have no value if employed for other Internet services.

Using this definition, I believe I could say that it is possible to stay safe online. However, possibility is not probability. Those that would be safe under this definition must have the knowledge, ability and opportunity. If the majority of people utilizing the Internet do not have this then the majority of users are not safe. Our logical step, therefore, is to educate users to give them the knowledge and ability and to make the technology and environment that will provide them with the opportunity something that is available to the majority of users.

For more information:

The Human Side of IT Security

Organizational Security Culture

Securing the Network against Inevitable Human Slipups

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and donÔÇÖt necessarily represent DellÔÇÖs positions or strategies.

Cyber safety at St. Mark Lutheran

Gail Larrow invited me to speak at St. Mark Lutheran school on cyber safety.┬á It was a pleasure to speak to the students there and to find out how they are using technology.┬á Honestly, I didn’t even recognized some of the technology they mentioned.┬á However, I was able to offer them a lot of information on how to protect themselves online.┬á Here is a copy of the presentation.

Security Awareness: 360 empowerment for cyber defense

A few days ago, I delivered a training session on security awareness.  The employees who attended the training discussed quite a few items that they will bring back to their management that I hope will inspire some culture change and a differing view on information security.  Here is the presentation if you would like to view it.

Improving software development security at CodeMash 2014

I will be delivering two lightning talks at CodeMash 2014 titled “Maximizing Technology Adoption ROI” and “Data Breach Lessons from 2013”.┬á Even those who have not attended the talk can view the talks here.


Twas the Night before the Breach

Twas the night before the breach, when all through the place
Not an alarm was ringing, nor even a trace
That data was being pilfered, with the greatest of care
In hopes that its access would none make aware
The employees were off early, out for the day
Some to go shopping and others to play
Leaving the office empty, ÔÇÿcept for one man
Filling a thumb drive as fast as he can
The passwords he had, some from Susan, others Paul
One under the keyboard, another on the wall
So he gleefully posed as his oblivious colleagues
Obtaining the data while humming a melody
Till leaving the office, no clue he neglect
To remove with him lest someone start to suspect
Ill intentions from such an employee as he
Whose reputation was spotless as spotless could be
The holiday proceeded much as expected
Families gathered, read stories and collected
The gifts they desired but hardly touched after
Great feasts were consumed, songs sung with laughter
But one of them partook in much more than cheer
Anonymously he sold them, stolen secrets most dear
Highest bidder to win, take all you can handle
Spreadsheets, memos, personal and financial
Returning to work, the breach first went undetected
Till profits sagged much lower than projected
Our secrets were stolen, they cried in shock
Our competitors have knowledge of things they ought not