What is DevSecOps?

 

We rely on apps for everything. Therefore, it just make sense to develop secure code. So why is it so hard for us all to get along? This is something Dev, Sec, AND Ops should be working on together.

This webinar was all about DevSecOps. We spoke about shared responsibility, how continued compliance can save us a lot of money, and how cheap it is to implement. We discussed how to develop guard rails for our development team so they can develop faster and securely, and how to be able to say every day that we are in compliance.

If you have development, operations, or security, and they’re not all sitting round singing Kumbaya…..time to come listen…..

Buzzword of the Day…DevSecOps
It’s a cool way to break down the walls between Development, Security, and Operations and get technical and non-technical people to start thinking of all three elements as one. Hence the term, DevSecOps! Say it with us…Dev…Sec…Ops! Again!

Infographic Time!

DevSecOps Venn Diagram

  • Development
    They write programs in languages that only they understand.
  • Security
    They make sure the programs that the Development team writes are secure.
  • Operations
    They humanize the process by asking for what they need and by unknowingly trying to break the programs the Development team writes to catch bugs so that the Development and Security teams can fix any issues internally before launching.

Communication Breakdown
It’s no secret that Development, Security, and Operations teams have a history of bad communication and sometimes egos flare up because each team believes they add more value than the others. The truth is that all teams need each other in order to be successful and cannot operate alone.

Encourage your teams to discuss with internal teams AND peer-to-peer groups like All Day DevSecOps on LinkedIn to engage in sharing successes and failures.

How DO We Get the Teams to Work Together?
If we can find a way to relate what a person is doing in the job they love, the easiest way is to ask them. Have all teams audit one another and ask them about how the other teams can improve. This will inadvertently create a cultural shift and open the doors of communication between Development, Security, and Operations.

How DO These Teams Work Efficiently?
Discuss your absolutes, your must haves in order to be compliant, your need to have’s in order to maintain function and capability, and your nice to have’s such as, “we’d love a blue background.” This discussion should take place before every project!

Put Up the Guard Rails
For example, a database should be encrypted and the guard rail is like a hashtag in the code that says the function is encrypted... so whenever someone adds something to the code that violates this rule, you will be alerted. With this guard rail in place; Instead of going over code once a year or quarter which is very expensive, you can achieve continued compliance from the get go without rescanning the code.

How Do We Get Management On Board?
Speak in finance terms. Tell them this will save x amount of time and resources which will result in x amount of money saved. Show them case studies or other examples on how successful this has been at other companies. Include discussions on costs related to risks as well. For example, if the company’s network is shut down, how much money will they lose in resources, productivity, and profit?

Just as important and in some cases even more important with large companies with large revenue, discuss reputation damage. 

Find out what the company's triggers are and relate them back to how DevSecOps can help.

Expand Your Knowledge Base, Contribute, and Learn
How do you find a DevSecOps Community to gather information?

The experts gave us their best tips:

  • DevSecOps London Gathering
  • All Day DevSecOps on LinkedIn
  • DevOps Institute
  • Linux Academy
  • DevSecOps Essentials
  • Epic failure stories from communities on LinkedIn and other places on the web. The value is in the comments. Don’t just read, join the discussion, comment, and ask questions.
  • YouTube
  • Attending webinars like this one!

DevSecOps is a Cultural Change

Moderated by

  • Wizer’s hacker, Chris Roberts!

Panelists:


  • Mark Miller - Co-Founder, All Day DevOps

  • Aubrey Stearn - Interim CTO @ Oakam | CTO | VP Engineering | Speaker | YouTuber | Mentor

  • Jason Rogers - Solution Minded Security Instigator

  • Eliza-May Austin - CEO & Co-Founder at th4ts3cur1ty.company