DevSecOps: Four Pillars for Success

By 
Nikhil Gupta
May 16, 2022

The FBI’s ‘2020 Crime Report’ shows that in the same year there were 791,790 alleged internet crime complaints. An increase of over 300,000 complaints compared to 2019, and the highest increase ever recorded.

Over 61% of website visitors originate from mobile devices in the US, a statistic that’s directly proportional to the number of cyberattacks on mobiles. Called social engineering attacks, cybercriminals manipulate human behavior and psychology to access devices.

This is where security by design would provide a tough layer of protection because the device would have security enmeshed in the design right from the start.

Achieving security by design with DevSecOps

“We will not wait for our organizations to fall victim to mistakes and attackers. We will not settle for finding what is already known; instead, we will look for anomalies yet to be detected.”

These lines from the manifesto from DevSecOps.org, a community for promoting the DevSecOps approach? That’s essentially security by design. A process that is preventive and preemptive rather than reactive.

What are the pillars for DevSecOps success?

DevSecOps might be one of the smartest ways to achieve high-end security yet, but organizations need to overcome many hurdles before they can implement it. Often, these include resistance from different teams, expenses, the required expertise, tools and process upgrades, and so on. 

However, if businesses are able to work together towards implementing it, then there are three conventional pillars of success to keep in mind.

People across the organization

Puppet’s 2021 State of DevOps report emphasizes that “while DevOps was made possible by automation, programmable infrastructure, and more accessible programming languages and APIs, it was fundamentally a human-centered movement, focused on improving the interactions between people.”

DevSecOps requires the same people-first approach for it to work smoothly. It requires empathy, trust, and all the other necessary ingredients that go into creating a DevSecOps culture. Without buy-in from everyone right from the top management to junior developers, the transformation will not begin where it should - at the grassroots level.

In-built processes

Robust frameworks, practices, and processes form the skeleton around a new approach and need to be developed and put in place from the beginning. The entire organization needs to work together as a single unit that defines the architecture for a DevSecOps approach to really have an impact. And your work doesn’t end there. Once put in place, processes need to be adapted to the continuous evolution of the organization.

Using the right tools

Accessible programming languages, an API-driven approach, implementing automation, and other such steps and tools are a must to make a successful DevSecOps transformation. DevSecOps requires special tools for threat-modeling, log management, and automated testing, among others, to strengthen the CI/CD pipeline. 

The use of the right tools enables a change in perspective towards DevSecOps too. For instance, the more automation you introduce the lesser the worry about security causing delays.

No one size fits all - the fourth pillar

Once you decide to take the plunge and start the DevSecOps transition there’s one question that lingers - where do you start and is there a template? 

The answer is simple: start where you are. The focus here is on you. Take stock of where you stand as a business - people, processes, goals, revenue, etc. - and develop an approach that’s right for you.

Take the US Navy, for instance. In a 2021 case study included in The DevOps Handbook, the US Navy took the culture-shift route to begin their technology upgrade and DevSecOps transition. That included team-building exercises and activities encouraging people to get to know each other better to foster a friendlier, collaborative environment first. The next step was setting up training exercises to know software tools and practices and to learn the importance of cybersecurity.

The Purple Book Community’s role in the DevSecOps journey

“To build a purpose driven, trusted, and safe community that equips people with the expertise to embrace secure development practices, connect with other practitioners to solve the ever-evolving challenges, and ultimately democratize software security.”

That’s the vision of the Purple Book Community. To share learnings, provide guidance through your unique DevSecOps journey, and help cultivate a vibrant atmosphere of diversity and inspiration. Changing a culture is hard, but it’s possible. And with a Community, it becomes easy.

Nikhil Gupta
CEO and Co-founder, ArmorCode