The Book
Membership
Explore MembershipGlobal Expansion Program
AppSecConS3M2Journey to AppSec Maturity
Events
Upcoming Events
RSAC 2024
JTAM OWASP Global AppSec conferenceJTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Cyber Future Dialogue 2024
JTAM Virtual Workshop - September
JTAM Roundtable - OWASP Global AppSec
Resources
PodcastBlogState of AppSec 2023
Contact Us
The Book
Membership
Explore Membership
Global Expansion Program
AppSecCon
S3M2
Journey to AppSec Maturity
Events
Resources
Contact Us

DevSecOps: Four Pillars for Success

By 
Nikhil Gupta
,
and
May 16, 2022

The FBI’s ‘2020 Crime Report’ shows that in the same year there were 791,790 alleged internet crime complaints. An increase of over 300,000 complaints compared to 2019, and the highest increase ever recorded.

Over 61% of website visitors originate from mobile devices in the US, a statistic that’s directly proportional to the number of cyberattacks on mobiles. Called social engineering attacks, cybercriminals manipulate human behavior and psychology to access devices.

This is where security by design would provide a tough layer of protection because the device would have security enmeshed in the design right from the start.

Achieving security by design with DevSecOps

“We will not wait for our organizations to fall victim to mistakes and attackers. We will not settle for finding what is already known; instead, we will look for anomalies yet to be detected.”

These lines from the manifesto from DevSecOps.org, a community for promoting the DevSecOps approach? That’s essentially security by design. A process that is preventive and preemptive rather than reactive.

What are the pillars for DevSecOps success?

DevSecOps might be one of the smartest ways to achieve high-end security yet, but organizations need to overcome many hurdles before they can implement it. Often, these include resistance from different teams, expenses, the required expertise, tools and process upgrades, and so on. 

However, if businesses are able to work together towards implementing it, then there are three conventional pillars of success to keep in mind.

People across the organization

Puppet’s 2021 State of DevOps report emphasizes that “while DevOps was made possible by automation, programmable infrastructure, and more accessible programming languages and APIs, it was fundamentally a human-centered movement, focused on improving the interactions between people.”

DevSecOps requires the same people-first approach for it to work smoothly. It requires empathy, trust, and all the other necessary ingredients that go into creating a DevSecOps culture. Without buy-in from everyone right from the top management to junior developers, the transformation will not begin where it should - at the grassroots level.

In-built processes

Robust frameworks, practices, and processes form the skeleton around a new approach and need to be developed and put in place from the beginning. The entire organization needs to work together as a single unit that defines the architecture for a DevSecOps approach to really have an impact. And your work doesn’t end there. Once put in place, processes need to be adapted to the continuous evolution of the organization.

Using the right tools

Accessible programming languages, an API-driven approach, implementing automation, and other such steps and tools are a must to make a successful DevSecOps transformation. DevSecOps requires special tools for threat-modeling, log management, and automated testing, among others, to strengthen the CI/CD pipeline. 

The use of the right tools enables a change in perspective towards DevSecOps too. For instance, the more automation you introduce the lesser the worry about security causing delays.

No one size fits all - the fourth pillar

Once you decide to take the plunge and start the DevSecOps transition there’s one question that lingers - where do you start and is there a template? 

The answer is simple: start where you are. The focus here is on you. Take stock of where you stand as a business - people, processes, goals, revenue, etc. - and develop an approach that’s right for you.

Take the US Navy, for instance. In a 2021 case study included in The DevOps Handbook, the US Navy took the culture-shift route to begin their technology upgrade and DevSecOps transition. That included team-building exercises and activities encouraging people to get to know each other better to foster a friendlier, collaborative environment first. The next step was setting up training exercises to know software tools and practices and to learn the importance of cybersecurity.

The Purple Book Community’s role in the DevSecOps journey

“To build a purpose driven, trusted, and safe community that equips people with the expertise to embrace secure development practices, connect with other practitioners to solve the ever-evolving challenges, and ultimately democratize software security.”

That’s the vision of the Purple Book Community. To share learnings, provide guidance through your unique DevSecOps journey, and help cultivate a vibrant atmosphere of diversity and inspiration. Changing a culture is hard, but it’s possible. And with a Community, it becomes easy.

Nikhil Gupta
CEO and Co-founder, ArmorCode
Uniting security leaders and practitioners on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
Membership
Podcasts
Blogs
Events
Past Events
AppSecCon New York Reception
AppSecCon Austin Reception
AppSecCon  Santa Clara Reception
Mumbai Chapter
Atlanta Chapter
Bengaluru Chapter
Davos Dialogue
Resources
Contact Us
Copyright © Powered By ArmorCode Inc.
Privacy Policy
|
Terms & Conditions
The information contained in the Purple Book of Software Security and associated marketing material contains content expressed by Purple Book Community members. These opinions are their own, are not affiliated with the organizations that they belong to and have no commercial affiliation or any endorsement of any commercial products or services, including the community sponsors.