A Movement to Foster Continuous Security

Upendra Mardikar
January 29, 2022

Hesitating to Adopt DevSecOps? You’re Not Alone

With the move from Waterfall to Agile, technology organizations realized the need to create DevOps to ensure developers and operation teams are in sync. Several smart people in the industry have written blogs and shared their experiences on how DevOps has helped organizations move fast.

In most organizations, security is always an afterthought. The reason could be the perception that security is a nay-saying organization. A recent 2021 study from Forrester has revealed that security continues to be seen more as a hindrance than as an enabler. Forrester’s survey, done in collaboration with VMWare, showed that 52% of developers feel security processes constrain innovation.

We have seen how the movement of Continuous Integration, Continuous Delivery, Continuous Deployments, etc.  have been arguably successful in delivering their promises. The goal has always been to deliver products and innovation rapidly. I want to add to this goal. The goal should be to deliver products and innovation that are secure and safe for customers to use rapidly. We need both speed of delivery and security.

We need Continuous Security - security that is in the DNA of the organization and is embedded in a seamless way.

For this blog, without getting into the religious arguments of SecDevOps and DevSecOps, I call it DevSecOps and focus on the end goal.

To ensure that security is not left behind and  is seen as a business enabler, we focus on Continuous Security. One of the essential ingredients of Continuous Security is implementing DevSecOps the right way. Well-implemented security is a more streamlined, ‘shift left’ approach that bakes it in right from the start of the development process. To make it really secure, we not only shift left but try to shift “up” in the organization and push it closer to the CEO and the board. More about how to shift up later. But bringing it back to DevSecOps, weaving security into CI/CD processes means developers are able to fix security gaps, which affect end-users and result in lost data before production.

What’s special about DevSecOps?

An IBM 2021 report found that data breaches cost businesses US$ 4.24 million, the highest ever in 17 years. DevSecOps combines development, security, and operations to deliver products quickly without compromising on security.

From a security standpoint, the approach:

  • Considerably reduces vulnerabilities
  • Helps implement and maintain compliance throughout the delivery process
  • Fosters transparency and form trusted relationships with partners
  • Makes traceability stronger
  • Improves agility, collaboration, and security

From a business standpoint, DevSecOps

  • Reduces costs and fast-tracks delivery
  • Helps avoid security disasters and, therefore, negative publicity
  • Promotes collaboration and a positive work culture
  • Increases operational efficiency
  • Increases product reliability

Barriers to adoption

Sounds simple and logical, doesn’t it? But following DevSecOps processes means developers need to adhere to detailed security protocols, which they feel hampers creativity and slows down development.

DevSecOps requires teams to collaborate seamlessly but long-standing friction, especially between developers and security experts often come in the way.

Companies also point to the lack of adequate security application experts who can carry out DevSecOps processes.

The last but equally grave challenge is the absence of scalable, automation-first, API-based processes along with other tools.

What is the Purple Book Community? - Movement to foster Continuous Security

We need a movement to foster continuous security and for that, one of the first challenges to doing DevSecOps the right way. Overcoming DevSecOps challenge is as much about enabling people as much as it is about building new tools. The challenges that DevSecOps poses cannot be solved with purely technical solutions. It needs a cultural and mindset shift. People need to be enabled to adopt DevSecOps in its true spirit. This is where the idea of the Purple Book Community came about.

The Purple Book Community comprises top security thought leaders and practitioners. Initially it brought together 29 industry experts to write a comprehensive book about DevSecOps, AppSec, and product security perspectives, best practices and case studies. This book will be offered free for the benefit of the broader community. But the community has since grown beyond the original 29 industry experts and now has 150+ members all dedicated to promoting secure software development practices.

How can the Purple Book Community help?

The book, as well as any other content that the community creates, provides actionable guidelines and playbooks to show how businesses can steadily add robust layers of security by adopting DevSecOps. It helps companies accelerate their processes by learning from practitioners who have been there and done that. The book and contents will be kept current by leaders writing blogs and publishing podcasts regularly.

Cybersecurity challenges are evolving every day to become more sophisticated. It’s important to have equally sophisticated experts on your side to decode the threats and keep your business safe. And the Purple Book Community is built to do just that.

The first three chapters of the Purple Book of Software Security have been released and rest of the chapters are in the final stages of editing and will be available free of cost here. You can also listen to the co-authors as they share their thoughts about the book and answer questions.

Participate in the community!

The community meets twice a month to talk about the latest developments in the industry, network with each other, share best practices, decode major attacks, and build long-lasting bonds. It also invites security leaders to contribute blogs and be part of podcast discussions. You can join the community by clicking here: https://www.thepurplebook.club/join-the-community. To know the latest updates and participate in events, check out the community’s LinkedIn page.

CISO, Snap Finance