GPSG’s cyber team had a lot of fun at RSA 2019! We learned about innovative technologies and some of the latest security management approaches. We also caught up with existing partners and made new friends.
Approach DevOps Security in Manageable Chunks
A highlight of the conference for me was DevOps Day. The practitioners focused on different approaches for integrating security into DevOps initiatives.
For example, reducing the size of security policy can help make DevOps security more manageable. Most IT and security teams lack the time to focus on it. Others may not even take the time to review it for application to the course of development duties.
One alternative to this static security policy approach is to develop 7 to 12 key tenets, or pillars, of DevOps security. The tenets are tailored to your enterprise mission and objectives.
As a result, the developers can more easily focus on following them from a more strategic perspective. This helps prevent wasted time digesting an over-sized security policy that may lose relevancy or senior leadership buy-in over time.
The tenets are treated as a living security policy. They would be edited and updated on an ongoing basis. Examples of tenets might include the following:
- Training on secure coding practices
- Code review
- Other internal enterprise development teams
- External, third-parties
- Code analysis tool integrations
The tenet approach also includes a ticketing or tracking tool for DevOps team members to regularly self-report their adherence to each of the tenets. For example, developers can rate their application of each tenet to their work and responsibilities. An example for self-reporting on the implementation of a tenet might include the following categories:
- Not thought about it
- Plan to implement
- Partial implementation
- Full implementation
Based on this feedback, a heat map chart is created for each of the primary focus areas. Then for reporting purposes, an overarching summary is generated from the charts for enterprise senior leadership team analysis. As a result, each development team member is held accountable for integrating security into the DevOps process.
Prevent Security Waste
Another powerful theme at RSA this year was that security is waste, referring to the Lean Six Sigma Black Belt and other similar efficiency principles. Further, several other Lean IT and Just-in-time (JIT) manufacturing concepts were introduced at the conference.
I agree that efficiency should be introduced early on. For instance, it can be incorporated into IT processes, product deployments, and the DevOps process. This helps reduce short-term security waste and bottlenecks, saving time, money, and other finite resources in the long-term.
Adding quality control to the development process reduces final stage testing prior to developers or IT teams pushing new code. For
Connect with us today at cyberteam@gpsg.co for a free consultation on cybersecurity risk management.