Security and DevOps teams frequently don’t play well together because they often have wildly divergent goals. One is focused on features and functionality while the other is focused on mitigating cyber risk. This lack of cohesion between teams is a detriment to organizations as well as the people both groups seek to serve. How can security and DevOps teams work together to arrive at a healthy DevSecOps culture, one where all three areas (Dev, Sec and Ops) are in tune? The first step is understanding your own team’s existing culture.
The famous quote, “Culture eats strategy for breakfast,” often attributed to “inventor of modern management” Peter Drucker, doesn’t aim to undermine the importance of strategy. It rightly recognizes that even with the best of strategies, if a company's culture is toxic or not empowering to the employee, it has limited effect. The same is true when working to improve the relationship between security and DevOps teams. The first thing that needs to be addressed is the culture of your team.
How would you characterize it? Does the culture encourage innovation and calculated risk-taking? Or is it one that seems to stifle these things and make decisions in a vacuum? It’s critical to start your assessment here because this is in the scope of your control and influence – the culture outside of your team is not. Any team member can do this assessment regardless of their organizational “rank.”
Understand this: changing the culture of your team is not easy, but it is possible. Make sure to start here before proceeding to the next step.
If there is one thing that will quickly build a powerful culture, it's transparency. Whether you are on the DevOps or security team, what can you share with the other group? How can you let them into your world to find common ground?
Organizations that have successfully changed their culture are intentional about creating frequent touchpoints. I know of one organization that fostered this by having a weekly DevOps+Security lunch. The food was paid for by the company, and each week the teams would alternate presenting a challenge they were working on. They actively sought the feedback of the other team, despite it being outside their primary domain of knowledge. This forced interaction, while initially uncomfortable, eventually led to unplanned innovation.
DevOps and security teams always have multiple goals and metrics they work toward. On the surface, they may appear different. However, with a deeper look, there are often many commonalities.
For example, DevOps teams are typically focused on moving toward releasing on-demand and the reduction/elimination of technical debt (it's arguably not possible to eliminate but it is a worthy goal). Embedded within both of these goals are elements that security teams care very deeply about.
While organizations are all over the map in terms of how often they release software, one thing is true: they all want to go faster. In order to make actual progress towards this goal, DevOps teams need to factor in non-functional requirements (NFRs) from the security team. By bringing the security team into the very beginning of the goal-setting process, DevOps teams naturally increase their odds of releasing on-demand. Security teams also get a major win. When a software vulnerability is later found (and it will happen), DevOps teams are able to rapidly address it and get it pushed out to production with little to no delay.
Goals are important, but they must be measured. The same team I mentioned above also created shared metrics. The metrics in figure 1 below make it very clear how well DevOps and security are working together – or not. Note that these metrics assume you have taken time with security to map out your pipeline.
As with any metric, there must be a target to aim for. In the case of this organization, there is a lot of work to do specifically around inefficiencies in discovering vulnerabilities pre-production vs. post. This organization was likely one of the 43% with insecure CloudFormation templates recently discovered by Unit 42 in their Spring 2020 Cloud Threat Report.
Creating DevSecOps as a culture isn’t impossible. However, it does take a focus on team interactions and transparency, as well as shared goals and metrics. While every organization is different, it is universally true that more frequent engagement and collaboration will build trust between DevOps and security teams.
Whether you are a team leader or right out of college, you have the power to bring your organization one step closer to DevSecOps as a culture.
Learn more about DevSecOps, the culture needed to support it and the tools to empower it at the State of Cloud Native Security virtual summit.