Analyzing DevSecOps vs. DevOps

PEOPLE

Many organizations think DevOps is all about tools, but in actuality, strong leadership and culture are vital to its success. Gartner research found that through 2023, 90% of DevOps initiatives will fail due to the limitations of management approaches used by leadership.

Shifting to the “assume breach” mindset

Seems impossible, right? In his CloudSec 2021 session, Microsoft DevOps Architect Davide Benvegnu, discussed how his engineering team (focusing on Microsoft Azure DevOps) changed their mindset. They started with two teams: the red team focused on hacking/penetrating the environment while the blue team tries to identify and remediate risks before red team is successful.

Eventually, Benvegnu’s team soon realized this wasn’t the most effective approach. Instead of playing “catch-up” with the red team, they eliminated the blue team and spread its components across each feature team, completely shifting security left.

Now, each feature team is responsible for the security of the product. To ensure their tasks were completed security, they leveraged security tools with automation to help prevent common risks like credential theft, secrets leakage, and open source software (OSS) vulnerabilities. Also, developers learned to write secure and reliable code and write the tests to check for security vulnerabilities.

PROCESS

Establish security practices throughout the entire process

If the teams don’t buy into the mindset and new approach, they will be less likely to actually follow procedures. After everyone is on board, you can effectively implement security practices throughout the build lifecycle.

For example, when you open a request, you run and security scan and block any pull requests if vulnerabilities are present. Next, run the same vulnerability scanning in the CI/CD pipeline for anything pushed or merged. Set up fixed interval scans to check the code base, even if nothing was pushed or committed, just in case you decide to use it later. Finally, deploy only after all security tests are passed. Ideally, deploy across multiple stages with release gates to test for security, not just functionality. Progressive exposure helps identify and fix vulnerabilities as quick as possible.

Read More HERE