Today, leading governments are working to integrate security into their DevOps practices and culture, ensuring that public sector innovation can be delivered securely – and creating an evolved approach called DevSecOps. Effective DevSecOps requires new tools and tactics, as it builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later.
Belows are the tools and tactics necessary to bring DevSecOps to your agency.
Containers and Microservices
At its core, DevSecOps relies on automating routine operational tasks and standardizing environments across an app’s lifecycle. Containers offer these necessary standardized environments. They make it easier to move applications between development, testing and production environments. Containers let developers package and isolate their apps with everything they need to run, including application files, runtime environments, dependent libraries and configurations.
Automation
IT architectures are continually changing and must be infinitely flexible. Automation in software – and in security, in particular – helps with efficiency, delivering value faster and solving IT and business workflow challenges. As organizations adopt containers, an automated approach to security, testing and application development is needed to increase productivity and reduce risk. By automating security capabilities like enterprise firewalls, intrusion detection systems and security information and event management, organizations can better unify responses to cyberattacks. They do this through the coordination of multiple, disparate security solutions, helping these technologies act as one in the face of an IT security event.
Culture
Changing the infrastructure or the application architecture is easy. To effectively change what you produce, though, you need to change your culture. And cultural change goes even deeper than DevSecOps or agile or other methodologies. It is a commitment to actually putting everyone on the same team.
Major changes can begin with very simple steps. Cultural changes underpin all of the technological and process changes. If you’re struggling to build a DevOps or DevSecOps culture, try two things:
- Have your developers spend the weekend with operations and security teams watching a production rollout and learning what they go through.
- Track how many steps or service tickets it takes for a developer to request a new virtual system.
Seeing how other teams are functioning in real time can be a powerful force to encourage teams to change their processes or to open up communication.
Open Source
DevSecOps relies on a culture of collaboration that values openness and transparency. Implementing this approach means applying open source principles and practices because the cultural values of DevSecOps are tightly intertwined with the values of open source communities and agile approaches to work.
The culture of open source software projects can be a blueprint for how to build a DevSecOps culture. Freely sharing information is the default approach to collaboration in open source communities.
This blog post is an excerpt from our new self-paced online course, Integrating Security From End to End in Government With DevSecOps, learn why DevSecOps matters in government today and explore the evolution of DevSecOps.