Editor’s Note: Part 1 of a 5 Part series on securing DevOps environments based on insights from Global 1000 CISOs. This installment covers how to bring DevOps and security teams into alignment.
Securing DevOps environments is an increasingly important concern for Chief Information Security Officers (CISOs) and security teams. Earlier this year, we published The CISO View – Protecting Privileged Access in DevOps and Cloud Environments. The report established a series of recommendations based on insights gained from a diverse panel of expert CISOs from global 1000 organizations. Contributors to the report include executives from ING Bank, CIBC, Rockwell Automation, Lockheed Martin, Starbucks, Pearson, Asian Development Bank, American Express, NTT Communications, Carlson Wagonlit Travel, Orange Business Services, American Financial Group (AFG) and GIC Private Limited.
In this five-part blog series, we’ll expand guidance on each of the five recommendations highlighted in the CISO View report with the goal of helping security teams leverage these experiences and apply them to their own environments to improve DevOps security.
- Transform the security team into DevOps partners
- Prioritize securing DevOps tools and infrastructure
- Establish enterprise requirements for securing secrets and credentials
- Adapt processes for application testing
- Evaluate the results
Transform the Security Team into a DevOps Partner – Part one of the series will address how organizations can bring their DevOps and security teams into alignment and establish collaboration for stronger overall security.
While developers often recognize that security is important, it is not their top priority. More typically, the DevOps team prioritizes delivering new capabilities and features to the business and customers, often as part of a larger digital transformation initiative. And, developers often view security as something that will slow down deployments.
Security teams often have limited DevOps knowledge or expertise. Too often the result is that DevOps adoption begins and even takes hold inside an organization before the security team really gets involved. Consequently security vulnerabilities are not always adequately addressed in DevOps environments and can drive unnecessary risk.
As the CISO View report points out, it’s important for the security team to take the lead in integrating security into the DevOps processes before poor practices become entrenched.
So, how can security teams better engage, energize and collaborate with their DevOps counterparts to strike the right balance? The following five tips summarize the panel’s guidance for transforming security teams into DevOps partners:
- Establish the requisite skills to get in the driver’s seat. Effective collaboration requires effective communication. While developers write the actual code, it’s important for security teams to gain knowledge about programming languages along with how applications are built, tested and deployed automatically. This will help them have more meaningful discussions and credible conversations. Security professionals can start by learning some of the fundamentals: PowerShell, Python, and Rust, as well as how DevOps tools use REST calls and containerization technologies – particularly Docker and Kubernetes.
- Make it easy for developers to do the right thing. As one CISO View contributor noted, “You can’t be the manual cog in their completely automated process.” Make it easy for developers to do the right thing by training them in secure coding practices and implementing a self-service model for security capabilities. For example, you could provide security policy as code that can be integrated into the developers’ automated processes.
- Establish effective ways to collaborate. Set up formal systems to ensure DevOps practitioners understand security risks and implement good security practices across the organization. Consider how best to deploy security resources into existing or new organizational models and structures. The report outlines approaches to improving DevOps security, which include establishing centers of excellence, community leaders, security champions and embedding security team members inside development teams.
- Get developers to think like attackers. Educate DevOps teams on specific attacker tactics, show how sample code modules could expose secrets and provide examples as user stories. For example, “As an attacker, I would scan the organization’s code repositories looking for secrets.” Take the team through a penetration testing exercise or engage a Red Team to demonstrate how an attacker would compromise a CI/CD pipeline.
- Adopt Agile and DevOps methods. Security should begin utilizing Agile and DevOps methods within their own teams, not only to gain a deeper understanding of DevOps methodologies, but also to achieve greater efficiency by automating tasks or delivering capabilities in smaller increments more frequently.
The bottom line – understanding how other enterprises approach secrets management challenges across DevOps and cloud environments can help encourage collaboration and help fast-track the security team’s own efforts.
Next Steps – Check back soon, in the coming weeks, in part 2 we’ll be taking a closer look at how to prioritize securing DevOps tools and infrastructure.