“We were making cars without any brakes or seat belts.” That’s how moderator Keith Shinn, SVP, Head of Infrastructure of Caliber Home Loans, Shinn described DevOps during the ONUG virtual event this past spring. Joining his discussion were Shannon Lietz of Intuit, Pat O’Neil of FedEx and Chris Zanelli of Citihub. The group addressed challenges and possible solutions to institutionalizing DevSecOps in the Large Enterprise.
IT business leaders are under pressure to deliver digital revenue streams at speed. DevOps makes that possible by improving agility and hastening time to market. However, how do enterprises accomplish this while keeping their networks and infrastructure secure? Is institutionalizing DevSecOps about adopting new technologies and frameworks, or is it really a major shift in IT culture, business processes and governance issues? Listen to the panel’s entire conversation here. Below is a summary of their discussion.
“It represents the confluence of something very important,” said O’Neil. DevSecOps is more than just including software security checks in your pipeline. It has a wide application beyond the public cloud, from Colo (colocation ) to On-Prem (on-premises) software. It’s vital that organizations get development, operations and security to work together on the same team.
Zanelli agreed, adding that “the elements of DevSecOps that build policy as code and structured compliance really help the risk and security side key up with the pace of change.” Getting key stakeholders involved is about building a new culture, where all key players are at the table. Lietz says we must “figure out a way to create commonality. Create an even playing field, and that brings a new culture.”
That’s easier said than done. “Institutionalizing it means bringing massive amounts of people to a new mindset,” explained Lietz. “It requires everyone to level-up and skill-up.” Lietz emphasized the importance of putting goals in place and figuring out how everyone is part of the conversation.
Developers are usually eager to get involved. They have a natural interest in DevSecOps. Security practitioners are more challenging. “They usually gravitate toward specializations. You really need to be a generalist in this scenario, just because of the stuff that’s being thrown at you,” O’Neil explained. “It often takes a complete immersion to achieve a culture shift and to get people to change their thinking.” Compliance people are often last to the party, but it’s critical to take time to educate and get their buy-in, as well as their understanding.
Create a culture shift to join people together to make a success of DevSecOps. Zanelli emphasized the importance of bringing on security teams during critical times, such as when application teams are building functionality or components with a lot of complexity. This allows the tools themselves to be designed with security practices embedded. Examples he provided included OSS scanning, static code scanning and simply maintaining the fidelity of packages from a security and vulnerability standpoint.
Lietz pointed out the need to have empathy for differing learning capabilities. Large organizations use the concept of city maps, which enables people to work with others and leverage the benefits of the entire environment. “Get teams organized in a meaningful way, having the right conversations and getting the services they need, so that they do not have to learn everything all the time. No one should be expected to be the perfect cloud practitioner, DevOps and DevSecOps expert.”
Lietz also pointed to the “paved road” concept. This involves figuring out how you get the paved road, how to measure its successes and resiliency from a security perspective, and how to bring everyone along. Lietz said it’s not about just getting the right skills. It’s about adapting them to the right application within your company.
Each participant gave his or her top tips for building an effective DevSecOps culture. Here’s what they said.
Using the right metrics that bring the various groups together is essential to creating unity. Lietz emphasized the need to focus on positive metrics, such as resilience metrics that measure how resilient you are against adversaries.
Zanelli said he’s a huge believer in data management. “That’s where we gain the most insights.” Integrate enterprise resource data, co-quality and scanning tools, operations, and problem and risk management systems in the build state. “If a code shows that it has a certain number of vulnerabilities, we can break your build until it’s remediated. Data management links together the business process, the context of the application and the posture of the application. It enables more intelligent choices on how to react to cyber threats before we start applying a blanket policy to everyone,” continued Zanelli.
O’Neil honed in on the importance of monitoring subtleties. “You must create a virtuous feedback loop.” The measurement would answer questions, such as:
“All these work together to give metrics actual meaning,” concluded O’Neil.
The group concluded by briefly discussing templating, all agreeing how crucial it is to moving forward. “Getting consistency out of mainstream cloud providers is vital to informing our security posture,” said O’Neil. Lietz agreed, adding “Templating can raise the waterline and have the biggest impact against our adversaries.” She emphasized that security is immature from a tech perspective. “We’re buying features instead of actual platforms. Capabilities must be built into the bigger platforms. There must be a revolution that makes templates really matter.”
Change happens through collaboration. ONUG provides the forum for industry leaders to discuss trends, challenges and best practices. Join us for our next Digital event, ONUG Fall, on October 14 and 15. Register here or contact us to learn more about our community.