5 tips for creating a secure DevOps culture
Making the leap from a traditional DevOps cycle to a security-minded DevOps cycle — what we call secure DevOps — is no small feat. Putting security at the core of your DevOps cycle requires transparency, trust, buy-in from all sides, and continuous collaboration and optimization. In short, it calls for a culture shift.
Because it’s such a new approach, secure DevOps takes many forms from company to company. Perhaps your CI runs a static analysis tool to check for vulnerabilities in dependencies as part of your testing pipeline. Maybe Ops documents a plan for delivering actionable threat intelligence for when the need arises. Or, it could be that your organization invests in training to ensure that the team has a solid awareness of basic secure development concepts.
No matter the actual implementation, in a practical sense it’s all about finding opportunities along the CI/CD path for your development, operations, and security teams to sign off on security decisions together. Here are five tips to help your team build an environment in which secure DevOps can thrive.
Invest in secure DevOps to save time in the long term
The number one fear amongst developers when it comes to implementing security in the DevOps cycle is that it will slow down their progress. But investing in the creation of a secure DevOps lifecycle that works for your team results in a more secure foundation for your app from day one. Which means you won’t have to go back to fix or replace that foundation later. If automated correctly, secure DevOps can save time, money, frustration, even potential litigation, in the long run.
Find your fellow believers
Having the right people at the helm of each department can influence the entire team’s acceptance of this new process. Find those colleagues and counterparts who each see the value in secure DevOps, and will advocate for it. Your collective conviction will permeate the organization and begin to create a culture in which the secure DevOps lifecycle is embraced. These partnerships will also set an example of how your teams should work together and play to each others’ strengths.
Encourage curiosity and learning
For secure DevOps to be successful, developers need to be fully equipped with an understanding of modern app security practices. Create space for sharing helpful articles and videos, attending webinars, and testing new tools. Encouraging a culture of learning will not only give you and your team an edge but also sends a signal that the company is dedicated to its people and the success of the secure DevOps process.
Automate as much as you can, and streamline what you can’t
Anything that slows down the CI pipeline can cause developers to hurry, skip key steps, or be reluctant to deploy. Speed is still key in the CI/CD cycle, even with secure DevOps in place. So supply your team with as many automated tools as they need to communicate, test, monitor, model threats, and more. Bandit, Brakeman, Cargo Audit, Dawn Scanner, and Trufflehog — Fastly supports integration with all of these automated solutions, fitting into current DevOps toolchains so developers can test in their own environments.
There is, however, always room for good, old-fashioned human brainpower. In these cases, it’s best to have documented processes in place that will keep the cycle moving. Peer review is a perfect example of this. Linters and static analyzers are great at making sure code will compile and doesn't contain common errors, and a reliable test suite can validate that code will function as intended. But a manual peer review can quickly and easily identify unexpected, new functionality or identify issues not picked up by analysis tools. The same measure goes for access controls. It’s easy to write automation that can manage access controls based on group and team membership. But ultimately, privileged access should still be gated by a manual approval process. This ensures that automation can't be abused, allowing an attacker to gain access to sensitive systems. Peer review is easily complemented by tooling, but often the human touch is critical when it comes to controlling variables that can't be easily captured via automation.
To make a more informed choice when it comes to selecting the right secure DevOps tools for your organization, read our white paper where we outline four capabilities to consider.
Set expectations and urge transparency
In the early days of implementing secure DevOps, get the Dev, Security, and Ops teams together and decide what each team should expect from one another. What’s reasonable? What’s not? What threats should be reported? What constitutes alert overload? What bottlenecks might we encounter and how can we avoid them?
It’s also incredibly important that all teams have actual visibility into the product and its logs. A constant, direct line of sight into your traffic allows you to detect potential threats and respond appropriately as quickly as possible.
Integrating security at the core of your DevOps cycle may seem overwhelming. But — good news — the best way to start is to start small. Pick a small initiative, set the process in motion, get it working, demonstrate its value, and build from there. By putting just one or two practices in place, you’re well on your way to building more secure apps quickly. And that’s a win for everyone.