Securing DevOps environments is an increasingly important concern for Chief Information Security Officers (CISOs) and security teams. Past this year, we published The CISO View – Protecting Privileged Access in DevOps and Cloud Environments. The report established a series of recommendations based on insights gained from a diverse panel of expert CISOs from global 1,000 organizations. Contributors to the report include executives from ING Bank, CIBC, Rockwell Automation, Lockheed Martin, Starbucks, Pearson, Asian Development Bank, American Express, NTT Communications, Carlson Wagonlit Travel, Orange Business Services, American Financial Group (AFG) and GIC Private Limited.
In this five-part blog series, we will increase guidance on each of the five references highlighted in the CISO View report with the goal of helping security teams leverage these experiences and relate them to their own environments to increase DevOps security.
- Transform the security team into DevOps partners
- Prioritize securing DevOps tools and infrastructure
- Establish enterprise requirements for securing secrets and credentials
- Adapt processes for application testing
- Evaluate the results
Transform the Security Team into a DevOps Partner
Part one of the series will report how organizations can take their DevOps and security groups into alignment and establish collaboration for stronger full security. While developers often recognize that security is vital, it is not their top precedence. More typically, the DevOps team prioritizes delivering new capabilities and features to the business and customers, often as part of a larger digital transformation initiative. And, developers often view security as somewhat that will measured down deployments.
So, how can security teams better involve, energize and collaborate with their DevOps counterparts to attack the right stability? The following five guidelines summarize the panel’s guidance for transforming security teams into DevOps partners:
- Establish the requisite skills to get in the driver’s seat.
Effective collaboration requires effective communication. While developers write the real code, it’s important for security teams to advance knowledge about programming languages laterally with how applications are built, tested, and deployed automatically. This will help them have more meaningful discussions and credible conversations. Security professionals can start by learning some of the fundamentals: PowerShell, Python, and Rust, as well as how DevOps tools use REST calls and containerization technologies — particularly Docker and Kubernetes.
- Make it easy for developers to do the right thing. As one CISO View contributor noted, “You can’t be the manual part in their completely automated procedure.” Make it easy for developers to do the right thing by exercising them in secure coding practices and implementing a self-service model for security capabilities. For example, you could offer security policy as code that can be combined into the developers’ automated procedures.
- Establish effective ways to collaborate. Set up formal systems to guarantee DevOps practitioners understand security risks and implement good security performs across the organization. Consider how best to deploy security resources into current or new organizational models and structures. The report outlines mean to improve DevOps security, which includes creating centers of excellence, community leaders, security champions, and inserting security team members inside development groups.
Suggested read: Collaborating agile with DevOps
- Get developers to think like attackers. Educate DevOps teams on definite attacker tactics, show how to sample code modules could interpretation secrets and provide examples as user sections. For example, “As an attacker, I would image the organization’s code repositories seeing for secrets.” Take the team through a saturation testing exercise or engage a Red Team to demonstrate how an attacker would compromise a CI/CD pipeline.
- Adopt Agile and DevOps methods.
Security should begin using Agile and DevOps methods within their own teams, not only to increase a deeper understanding of DevOps methodologies but also to accomplish greater effectiveness by automating tasks or delivering capabilities in smaller increments more frequently.
Also Read: Amplify agile with DevOps
The bottom line — considerate how other enterprises technique and secrets management experiments across DevOps and cloud environments can help boost collaboration and help advance the security team’s own determinations.