Attributes of a Positive DevSecOps Culture

To understand the current and future state of DevSecOps, we gathered insights from 29 IT professionals in 27 companies. We asked them, "What are the attributes of a positive DevSecOps culture?" Here's what they told us:

Security is Ingrained

• Developers think more about security the same way they think about deployment when writing software. With DevSecOps, developers don’t do insecure things. Developers are more likely to want to talk to security to come up with good designs. Security is involved with engineering to get feedback and identify better ways of doing things. Security works as partners with developers to develop features that are secure. Consider risks versus business value.
• Infusing the mentality of proactive security across every team. Develop, design, and test in a sandbox. Ops working with security in mind. Product management is thinking about security. Automating whenever possible. Humans don’t scale. Look for ways to leverage automation to complete low-value, repetitive tasks. Take a bite-sized approach. Pick a few key goals and celebrate small victories to keep people excited and everyone is able to see the progress being made.
• As container use matures, enterprises benefitting from deploying containers within CI/CD pipelines are recognizing the importance of securing their application container development environments from start to finish. Whereas before, DevOps may not have added security measures until the middle of development, there’s now a cultural movement toward DevSecOps, in which security and DevOps teams work together to “shift left:” implementing built-in security measures from the beginning of the development lifecycle. At the same time, enterprises are advancing container technology beyond proving grounds and into production. These live, containerized production environments must be secured, necessitating a “shift right” as well. As a result, DevOps team cultures are now commonly shifting to a DevSecOps mindset, embracing security solutions specifically designed to safeguard container environments across the full build-ship-run application lifecycle.
• A positive DevOps culture is one where security is an enabler versus a blocker to shipping good things. Generally, folks want to be secure until being secure is difficult. Make important security things easy. Thread security throughout your processes. It’s not a central security team’s job to make sure developers write good code. Developers should want to write secure code as part of being excellent in their roles. Learning about secure coding, secure operations, secure deployment, etc. should be integral to success in a role, and not nice-to-have knowledge.
• 1) A drive for excellence. Security is critical to modern applications but is often invisible to the customer and other developers. Without a culture of excellence, teams may be pressured to quickly implement a solution that’s less secure rather than take the time to implement a secure and maintainable solution. 2) Extensive automation - With automated deployment processes, security testing can be performed all along the development pipeline. Automation ensures that security requirements and testing are always performed consistently. Manual security processes insert delays and often motivate people to find ways around them.
• Every step of the DevOps chain must be thoroughly applying security best practices.
• 1) Get speed and agility. Automated security decisions are being made with the speed at scale. 2) Fostering a culture of security. Changing the security culture with more awareness into all phases of the SDLC. Developers make more considerations around risk versus value.
• 1) You have to care. You have to know you live in a world where actors and nation states are breaking into everything they can – the democratization of malicious actors. It’s incumbent on DevSecOps to be aware of how easy it is to break in. 2) Think about how to make security part of the process up front and into every line of code and automation. It’s everyone’s responsibility.
• When everyone on the team sees security as their own responsibility, and not as someone else’s problem, you have a positive DevSecOps culture. This is expressed by security being part of every user story completion criteria up-front, by security testing being an integral part of the continuous integration pipeline and production environment, and through executive support and understanding that security must not be compromised to reduce time to market.

from DZone.com Feed https://ift.tt/2XC0WjS