DevSecOps #Fails

To understand the current and future state of DevSecOps, we gathered insights from 29 IT professionals in 27 companies. We asked them, "What are the most common DevSecOps fails? How are they rectified?" Here's what they told us:

Culture

• Changing the culture and mindset is not easy. Executives are tasked with this. We look to our executives to make DevSecOps and security something that’s infused throughout the organization. Until recently there was still a lot of talk and not a lot of action. 30% had not implemented a DevSecOps model. The executive team needs to create a built-in security culture, every step of the process so security is a priority for personal, team, and organizational goals. You must change mindsets throughout the organization.
• Security staff must embrace the DevOps culture and show that they add value without adding friction. In particular, the security organization must be willing to give up manual release approvals.
• The most common DevSecOps fails are: 1) Lack of assurance to business and project teams: understand the business context; identify and rank risk; engage senior technical people to work on security; integrate security activities (Threat Modeling, SAST, DAST, Pen Testing) in the SDLC. 2) Cultural barriers to collaboration: build collaboration between security, development, and operations teams; build a continuous security mindset. 3) Lack of security as a top priority for the business, auditors, and development teams: aim for long-term retention rather than short-term training; integrate workflows across teams to promote security. Starting from scratch: use existing standards OWASP Top 10, NIST 800-53, ISO 27001. 4) Lack of automation: emphasize automation wherever possible to drive consistency; use of virtualization and containers; continuous application and performance monitoring.
• 1) Security must be an up-front concern for the team. Adding security later is not going to provide enough protection. 2) Don’t assume your developers and testers are experts in security. Train them up and continue to supplement their training on an ongoing basis to keep up with new developments and threats. 3) Partner with security professionals to ensure that your efforts are effective and efficient. 4) Your development and test environments are not necessarily your production environment. Security testing must be performed in production in order to uncover vulnerabilities that might not be apparent during development. 5) If you’re using open source libraries and components, check regularly that the versions you’re using have no known vulnerabilities, and update them if necessary.
• DevOps overall is first and foremost a cultural transformation within an organization. It is aimed at breaking down the barriers between development, support and QA in order to create an environment based on collaboration and shared accountability. Difficulty in communication and collaboration, finger-pointing and a lack of enthusiasm for the common goals of the team are generally early warning signs that the DevOps initiative is not going well. These same principles apply to DevSecOps. In order to be successful, DevSecOps must be embraced by the entire team.

from DZone.com Feed https://ift.tt/2xpISe0