Security Is Everybody's Job (Part 4)

DZone 's Guide to

Security Is Everybody's Job (Part 4)

DevSecOps is the security activities that application security professionals perform, to ensure the systems created by DevOps practices are secure.

· DevOps Zone ·
Free Resource

The previous article in this series is here.

In this post, we will explore The 3 Ways of DevOps. But first, a definition.

DevSecOps is Application Security, adjusted for a DevOps environment.
Imran A Mohammed

DevSecOps is the security activities that application security professionals perform, to ensure the systems created by DevOps practices are secure. It's the same thing we (AppSec professionals) have always done, with a new twist. Thanks, Imran!

Refresher on The Three Ways:
  1. Emphasize the efficiency of the entire system, not just your part.
  2. Fast feedback loops.
  3. Continuous learning, risk-taking, and experimentation (failing fast)

Let’s dig in, shall we?

1. Emphasize the Efficiency of the Entire System, Not Just One Part

This means that Security CANNOT slow down or stop the entire pipeline (break the build/block a release) unless it's a true emergency. This means Security learning to sprint, just like Ops and Dev are doing. It means focusing on improving ALL value streams, and sharing how securing the final product offers value to all the other steams. It means fitting security activities into the Dev and Ops processes and making sure we are fast

2. Fast Feedback Loops

Fast feedback loops = "Pushing Left" (in application security).

Pushing or shifting "left" means starting security earlier in the System Development Life Cycle (SDLC). We want security activities to happen sooner to provide feedback earlier, which means this goal is 100% in line with what we want. The goal of security activities must be to shorten and amplify feedback loops so security flaws (design/architecture issues) and bugs (code/implementation issues) are fixed as early as possible when it's faster, cheaper, and easier to do a better job.

3. Continuous Learning, Risk-Taking, and Experimentation

For most security teams this means serious culture change; my favorite thing. InfoSec needs some culture change. All of IT does (including Dev and Ops) if we want to make security everybody's job.

Part of The Third Way:

  • Allocating time for the improvement of daily work
  • Creating rituals that reward the team for taking risks: celebrate successes
  • Introducing faults into the system to increase resilience: red team exercises

We are going to delve deep into each of the three ways over the next several articles, exploring several ways that we can weave security through the DevOps processes to ensure we are creating more secure software, without breaking the flow.

If you are itching for more, but can't wait until the next post, watch this video by Tanya Janca. She will explain this and much more in her talk Security Learns To Sprint.

application security, appsec, devops, devsecops, it security

Published at DZone with permission of Tanya Janca . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}