Be intentional about culture. Most successful DevSecOps programs develop a work culture that encourages sharing knowledge, mentoring each other, and empowering the team to innovate and take risks. Develop shared goals, metrics, and rewards. Also, work to shift mindsets from monolithic, risk-averse, static, and centrally-controlled to more dynamic, community focused, decentralized, and contribution-based.
Start small, and focus on process and upskilling. Start small and hone the “build, fail, fix, repeat” mindset while developing new skills from within. Areas to focus on for upskilling include: Linux and scripting; top-tier programming languages and utilizing SDKS; cloud and container technology, such as Docker, AWS, Kubernetes, and SaaS/IaaS-liaised equivalents; proficiency with cybersecurity topics and security-by-design concepts; risk assessments and threat modeling; and continuous integration/delivery/testing/monitoring and agile methodologies.
Bring on new talent to pave the way. Consider hiring a few experienced outside people to show others the way. Sometimes companies need a fresh look at their problems with no preconceived notions.
Combine best-of-breed tools. Take advantage of development, automation, testing, and monitoring tools that make it easy for a developer to just hit a button and have the vulnerabilities and security deficiencies surface, right within the development process where they can address them promptly. Some to consider: Ansible, Codacy, Snyk, Hashicorp’s tool suite, Puppet, Chef, GitHub/GitLab, Aqua Security, IDS/IPS systems, and SIEM technologies.
Consider outsourcing. Some find it easier to engage a third-party company to become their outsourced DevSecOps organization. This minimizes the upfront investment and lets them tap into a larger pool of resources and take advantage of more experienced professionals, especially valuable in regions where there’s limited talent. After a few years, the company can integrate the outside group into the larger organization.
Don’t try to reinvent the wheel. Talk to other companies, including those outside the industry to learn how they dealt with the transition. This can help avoid making mistakes they stumbled through and can accelerate the company’s own strategy.
Ninety-one percent of app security managers reported experiencing vulnerable app-related security breaches during the past year, with 54% attributing breaches to their transition to the cloud, TechRadar reports citing a survey from Checkmarx.