Transform operational security – shift left with DevSecOps

This roundtable, led by Adaptavist's Chief Technology Officer, Jon Mort, and GitLab's Senior Technical Marketing Manager, Fernando Diaz, focused on DevSecOps. Shifting security left and embedding it right at the heart of the software development delivery pipeline is the best way to resolve security issues before they make it into production.

Sure, we need to have well-defined vulnerability and security incident management processes in place. That's a given. But it’s clear that solving the problem after the fact isn't going to cut it. We need to prevent it from happening at source, in the first place.

As with any digital transformation initiatives, implementing DevSecOps or adding security to your DevOps processes means taking a new approach to people, processes, and technology – all of which was discussed by the experts and a group of senior leaders tackling DevSecOps initiatives. From the current state of operational security and DevSecOps best practices to successful team structures and ensuring separation of duties.

Here are a few of the key survey takeaways raised during the roundtable:

Next, we got onto some fantastic in-depth discussions focused on three key areas.

Establishing a DevSecOps mindset is vital, thinking about security right from the beginning when developing applications. That means shifting left, starting from considering security at the design stage, assessing threats and risks before a new project even starts, and embedding security practices in the software delivery pipeline. Creating a DevSecOps-centric culture should include in-depth analysis to understand the threats and clear policies. Hence, staff across the organisation are security-aware and know how to handle data.

“At GitLab, we include security awareness as part of our day-to-day. We ensure employees are trained on security, even if they're not in a security role. For example, we have policies in place for employees to follow best practices when opening unknown emails, sharing data, etc., with training around these areas.” – Fernando Diaz, Senior Technical Marketing Manager, GitLab

There should also be good change-control practices, such as code review and segregation of duties. And minimal permissions. Practices tailored for and taking into account an organisation's context and scale are needed to ensure that the culture of security is fostered from intention to actionable change.

Additionally, checks and balances should be implemented into a platform to prevent mistakes, such as merging insecure code. Also, there should be regular collaboration between developers and the security team. This not only educates developers to be more security conscious but reduces the time to push secure code.

An important part of the DevSecOps journey as a company is understanding where you are now and what issues you are facing. Adaptavist's maturity assessment is a great way to establish a baseline and highlight where improvements can be made. For example, do you have problems scanning code for vulnerabilities? It can be a big issue for many organisations. There are solutions out there. For example, GitLab provides a large set of security scanners, but many people don't know how to get started with them or what they actually do.

You need to be able to triage and manage those vulnerabilities, too, as well as adhering to strict compliance policies; GitLab has vulnerability management – to triage and manage the vulnerabilities found within your project – and compliance management built in. A compliance dashboard, for example, helps you to see where your organisation is strong and where there are areas for improvement.

"With very strict compliance policies, there are lots of things you need to check and maintain. It's very complex. There are so many different types of code scanners. How do you know you're using the right ones? And how can you manage these vulnerabilities? These things aren't obvious at first, but can be planned out with a deeper understanding of your compliance needs" – Fernando Diaz, Senior Technical Marketing Manager, GitLab

"Automation can really make sure there are tickets to track the work that needs to be done, mitigating vulnerability and making it a part of the regular development life cycle is massively important and a fairly simple thing to do." – Jon Mort, Chief Technology Officer, Adaptavist

Automation is also your friend when it comes to scanning for malicious activity or if there's been an unwarranted escalation of privileges. Continuous compliance combined with the Automation necessary to detect, fix and raise issues can ensure that being compliant isn't an ad-hoc or periodic task left to a few specific roles

When it comes to all these processes, it's important to consider how you will scale your successful security practices as the organisation grows without losing its effectiveness.

"For every 20 developers, you might have one security team member or less. That's why it’s important to think at scale with everyone thinking about security, with accessible tools, rather than only specialists being able to use those tools." – Fernando Diaz, Senior Technical Marketing Manager, GitLab