Digital transformation requires security at the core of DevOps culture and processes.
Under pressure from business lines, DevOps teams need concision, speed and security to ensure continuous integration and delivery. Security unfortunately is -too often- considered as an constraint to agility and it has to be demystified for a better and faster takeover by DevOps teams.
We will try to cover the organizational and cultural challenges in order to set up effective DevSecOps and how, as a manager, you can develop security awareness and skills in your agile teams.
Last but not least, we will try to point out how Crowd Sourced Security is a key enabler of your DevSecOps strategy to success.
What is at stake ?
- The sooner, the better : if security problems are tackled at their root it is easier for everybody to develop and deliver better and more robust products. Teams will gain both comfort and skills by detecting and fixing bugs far prior to the testing phase. This key phase reveals too often a deadlock, then implies a re-work and therefore a waste of time.
- Questioning the polarization of IT security team and developers' teams. There is a crucial need for improving seamless and constructive communication between both disciplines.
Incentivizing Security within your team
DevSecOps is trending and you have more and more publications on that topic. Some even published a DevSecOps' manifesto theorizing the means and goals of the discipline.
Beyond doctrine, let's keep our feet on the ground and let's try to list simple and relevant incentives to raise security awareness.
- Empower people inside your DevOps team who are passionate about security and give them opportunities to attend IT security events.
- Widen your circle of trust by promoting IT security enthusiast people to raise awareness within your DevOps team : plan debriefs on what they attend and encourage discussions about hottest security trends.
- Leverage gamification for them to develop their skills with tools like RootMe Sessions, CTF and Bug Hunting.
- Set up collaborative workshops and internal trainings within your company on a regular basis, led by IT security enthusiast people.
- Make your DevSecOps people be a go-between your DevOps team and the IT security Team and/or SOC.
- Reward teams who prove out to effectively increase the level of security by design in their developments.
Leveraging CrowdSourced Security as a key enabler of DevSecOps.
CrowdSourced Security is definitely the best ally not only in terms of continuous pentesting but also for empowering your agile teams with high security standards.
Despite the bunch of testing during the development workflow, security professionals know there will remain vulnerabilities in production. This is the reason why systems need to be designed to detect bugs not only during development but also in runtime.
Shifting left is a major move in DevSecOps strategy and Bug Bounty creates a synergy between an unlimited crowd of skilled people, your security team and your developers. Moreover, Bug Bounty strengthens your operational security in any part of the DevOps pipeline. It enables your systems to automatically be updated by ensuring seamless monitoring and remediation.
Data Collection and API
Metrics and data collection through Bug Bounty contribute to Machine Learning and facilitate the building of mitigation and remediation processes.
Bug Bounty and DecSecOps alignment will be the topic of a forthcoming post illustrated by our concrete partnership with Qualys. Stay Tuned folks !