Creating A DevSecOps Philosophy & Answering The Call of Duty

Ben Riley, UK Technical Director, Sweagle

DevSecOps is a mindset. It’s a philosophy to commit to involving security every step along the DevOps lifecycle.

Ben Riley, UK Technical Director, Sweagle features in the second interview in our Ask the Expert series where we discuss pertinent issues relating to DevSecOps. In this episode, Ben talks to Emily Tippins, Global Marketing Director, Sweagle about why DevSecOps should be ingrained in your DevOps culture and how it should form a fundamental part of the processes and procedures within your CI/CD pipelines. Watch this video to hear Ben’s thoughts on seamless automation, security and encryption of configuration data.

DevSecOps isn’t just a blocker either. It’s a cultural change that means every time we create some code, we go through our processes and pipelines to make sure that security is at the heart of everything we do.

If you ask me my opinion, people need to be reminded of the security responsibilities within DevOps. Sticking to a DevSecOps philosophy means addressing the duty to secure all of your vulnerabilities. It’s about taking responsibility for the quality of your code, addressing where it’s stored and who gets access to it.

Adding layers of process doesn’t have to mean slowing down. But you do need to adopt a mindset of being on a constant pursuit to understand how people might expose you, your business application and your customer data. This is especially important where you have to protect your customers and their data. So, security in DevOps isn’t just about passwords and tokens.

One of the terms I hear a lot is ‘segregation of duty’. Within our DevOps teams, people need to have freedom and responsibility to carry our their duties, uninhibited. But we also need to have the ability to put in a level of control to manage roles, access and secrets. In adding this level of control, we shouldn’t impact people that don’t need to affected. For example, if you’re trying to develop a customer experience, you should be able to do that without jumping through loads of hoops.

So, security within DevOps should be one of the fundamentals that you get right early on. Role based access and having a clear set of controls is a good place to start. And there’s really no excuse not to.

If you think about the cost of not doing it, regardless of where you are in your DevOps journey, it would surely outweigh the benefits of adopting such a philosophy.

GDPR is an obvious cost that could trip you up if you’re not prepared. Your business applications and customer experiences should be one of the primary reasons to adopt DevSecOps as a mantra. There’s been a few high profile examples where some key players have been caught out. Outages can be caused by simply failing to secure passwords in log files. This is often not done maliciously but through a lack of awareness and an absence of controlled thought.

Think about it like putting a perimeter around your customer data. But it’s more than that.

We’ve all seen examples of how people can creep over that perimeter. Before you know it, one small bit of config could cause you major outages. And most config related outages, you won’t get notified about before it’s too late. So it’s vital to recognise that this is a space within DevOps that needs improvement.

I’ve seen a lot of people who have been previously stung with this kind of problem. So they’ve been on a journey of improvement that now gives them more confidence to release quicker and get more time back to filter into other things.

So if you manage the security, access and validation of the config within your CI/CD process, the quicker you can deploy with better quality and less errors.

I do believe that automation of elements that make up a DevSecOps philosophy really is the way to go. But think about what you are automating. Is there a bigger problem you meed to solve first? If you apply automation at the right time, in the right space, with the right team, you’ll do more than what’s simply required to remain compliant and operational. Your teams will self-actualise and go beyond the call of duty to where DevSecOps becomes an unconscious part of your DevOps DNA.

Further Learning

Ben Riley delivered a technical webinar to demonstrate how config data applies in auditing, RBAC, CI/CD.

Watch the technical demo »

Posted in