Succeeding in a Marriage of DevOps and Security: 5 Tips for a Happy and Prosperous Union

Red hand holding a blue hand intertwined in a DevOps shape

Why DevOps And Security Need To Marry

It is well known that modernization through DevOps and cybersecurity are the two biggest IT challenges facing the federal government today—but how can federal CIOs rapidly address these issues simultaneously? Cybersecurity has historically operated as an independent entity with an emphasis on achieving compliance as opposed to engineering next-generation security. Development and operations teams typically viewed cybersecurity as a hindrance because it impacts their ability to adopt new technologies and slows down their process. In many cases, cybersecurity is the last stage of the development lifecycle where long lists of security problems and compliance issues are analyzed, documented, and sit waiting for remediation. By definition, DevOps does not imply exclusion of security or any facet of software development and delivery process. However, for federal institutions, the role of security needs to be exemplified and can no longer be an afterthought in the DevOps process.

By explicitly fusing security into the DevOps model and calling it DevSecOps, we are declaring a union that will collectively collaborate and deliver secure, high-performing systems. DevSecOps interjects security into the foundation of software development from day one. DevSecOps provides an integrated approach to unifying teams, technologies, and processes for faster, more robust, and secure products.

DevSecOps teams with multiple cross-functional capabilities can work together to address the two crucial objectives of any organization—increase the rate of releases and maximize security protection. This model generates a wealth of learning and experiential practices that can cost-effectively accelerate the pace of federal system modernization initiatives.

Keys to a Successful Marriage of DevOps & Cybersecurity

Uniting development, operations, and security in a DevSecOps model to deliver modern and secure technology solutions is not an easy endeavor. An effective marriage between the two requires the following five building blocks:

  1. Build trust early – empathy, collaboration, and communication

DevSecOps teams are not common yet, so you may be assembling a team that does not have experience working in this type of model. DevOps team members may have preconceived notions of the security team members and vice versa. It is imperative to build trust among team members early through collaboration and communication. The team needs to buy-in and develop a sense of empathy for their team members’ concerns. With this, they can collectively work towards an innovative solution using the most appropriate technology and designed for security from inception. This includes instrumenting security controls into the architecture, analyzing it for vulnerabilities, and addressing them as part of the development process. Security issues and tasks should be tracked in the same common product backlog and prioritized along with feature stories prior to each sprint.

  1. Come together and establish a common process framework

A common process framework should be established by unifying and aligning the security governance risk and compliance process established by the NIST Risk Management Framework and organizational system development lifecycle. A security engineer should be dedicated to this effort and participate from inception. From architecture design, to active development, to testing and operations—the security engineer actively collaborates with peers to integrate and implement secure engineering and design practices. This facilitates collaboration and an investment in each other’s success—collectively they succeed or fail and never point fingers.

  1. Be kind to your partner – commit to collaborate

A DevSecOps team has many diverse players with different goals and responsibilities. It is important to first rally the team together to work toward a common goal using all their expertise collaboratively. Next, it is important to learn, understand, and appreciate each other’s concerns, therefore eliminating the “no, it is not possible” approach. It is critical that team members understand each other’s challenges and jointly explore and provide alternative approaches to reach the best possible solution.

  1. Simplify life – automate repetitive tasks

DevOps teams automate through a CI/CD pipeline. Cybersecurity engineers should integrate into this pipeline, automating tasks that can range from security testing, to monitoring, and possibly documentation. By adhering to a common CI/CD pipeline, everyone is forced to get on the same page viewing a unified software release quality report that lays bare facts on security failures and software quality. This eliminates any chances for misinterpretation or misunderstanding.

eGT Labs®, the research and development arm of eGlobalTech (eGT), developed Espier®. This security tool automates and integrates security penetration testing as part of the CI/CD pipeline, enabling early detection and faster remediation of vulnerabilities while ensuring that only secure code is deployed.

  1. Keep the spark alive – continuously learn and evaluate emerging tools and technologies for adoption

DevSecOps teams need to keep the spark alive by continuously innovating. Developers need to stay ahead of the curve and produce the most cutting-edge solutions, while security experts need to make sure they are evaluating and securing those new technologies. While this is not a simple task for any side of the house, it is a challenge that will keep the marriage exciting. Many innovations should be in the form of automation for both development and security processes. On the security compliance front, composable security documentation practices are becoming viable and practical. It replaces a document-heavy compliance process into more machine-generated data construct that is a true factual depiction of security posture, as opposed to only human written opinions. By embracing these emerging practices, DevSecOps teams can achieve process efficiencies and deliver secure software faster.

Case Study

A public sector eGT client had a complex geospatial system prototype composed of Microsoft and open source applications with a growing number of ArcGIS services. This prototype was used in a production capacity and encountered frequent outages, as well as performance and security issues. eGT was engaged to transform and migrate this ecosystem to the cloud.

eGT applied our DevOps Factory® framework to re-engineer the target architecture, implement the security-first design, and automate the end-to-end cloud migration process onto our managed AWS infrastructure. By collaborating with the security organization and instrumenting security controls into the architecture from inception, we successfully passed all required security audits with no major POAMs and achieved full Authority to Operate (ATO) within four months.

Leveraging Cloudamatic®, an open source cloud-orchestration framework developed by eGT Labs, we instrumented security and operational monitoring and log aggregation as part of the automated deployment process. This enabled our team to proactively detect security threats and respond quickly by patching cloud environments composed of hundreds of instances running both open source and commercial software in a matter of minutes.

DevSecOps: Happily Ever After

The needs to “accelerate time to market” and “maximize application and information protection” are not diametrically opposed to each other. They are two conjoined business requirements for any agency that desires to successfully thrive in today’s digital world. Government CIOs can achieve this by uniting teams in a DevSecOps model using best practices to ensure a strong and successful team culture.

Please contact devopsfactory@eglobaltech.com to learn more about how eGlobalTech practices DevSecOps in system modernization initiatives at DHS, HHS, and other civilian agencies.

 

Copyright 2018 | eGlobalTech | All rights reserved.