How we create code, how we deliver services, and how we run our businesses has transformed. It grew out of the work of some of the most advanced software development teams—the Googlers, the NetFlixes, and the Etsys— and it now knows no bounds, being taken up by biochemical agriculture companies, industrial companies, retailers, communication companies, and beyond. This shift in development patterns manifested itself as DevOps, a method where engineers deliver small but high-frequency updates to code. No longer do the old policies, tools, and toll- gates succeed. And as a result, cybersecurity must evolve.
In 2015, I worked with an incredible group of individuals on a guide to help inform the opportunity for cybersecurity with auditors in this new paradigm. We didn’t know we were creating a foundation for companies across the world, but our work has become that to many. I have seen the work in the public-audit world, at private companies, at global companies, and the work referred prominently in books published by luminaries across fields. This is the foundation for our next steps, and RSA Conference has provided this platform to share insights to help you accelerate and enable product development at your companies, and improve cybersecurity beyond anything we have been able to accomplish.
This transformation on HOW we build and deliver our products is our greatest chance to simplify security before complexity enters the system. That is the focus of this column and challenge for our community.
To change today we must first gain a perspective on what has changed, and so the immediate recommendation is to do a deep dive:
- Seek out the DevOps cadre in your organization (not all but a small high performing team).
- Analyze their methods of executing their job (i.e., how do they run code from their laptops to a server).
- ASK what security, compliance, and privacy scripts they have setup and what can their tooling support?
With these answers you can then learn where they have made progress, where you can help, and how you can introduce supreme cybersecurity support automated using their own pipeline tools.
The Simplicity and Value for Application Security in DevOps
The hardest challenge of any pursuit of excellence is knowing where to begin. This was true when I wrote my second book, How Not To Be Hacked, and is true with an organization maturing their application security programs in a DevOps world.
The scenario—your business has a sophisticated engineering base that is delivering products around the world. The products range from homegrown hardware and software to third party supplied hardware with third party software, cloud-based products, IoT products and more. Basically, everything that can be done is being done. Fantastic. Your self-assessment is that practices are inconsistent across your products, and this is based on market news, the amount of rework being consumed by developers, and other metrics.
Where do you start? How do you get involved to enable, enhance, and improve customer engagement and the quality of life of your fellow engineers and developers?
Start with the security issues and events. Set up a process where YOU are alerted within 24 hours of a security issue/event concerning any product impacting customers. Now here is the trick—approach this as problem solving issue and not as a compliance or security review. Words matter here, and framing of these activities are critical to achieving a significant return on this investment.
How to execute your post-mortem on a product security issue/event:
- Conduct a blameless review of what occurred that led to the security issue/event within 24 hours of being resolved with all relevant parties.
- Identify performance improvements and process improvements (not controls or gates, but automated at the source corrections).
- Work with impacted team to roll out improvements and measure impact (should be ZERO to efficiency and flow).
- Scale to rest of business.
Now the fourth point here is an art to onto itself, but if after every incident the first three steps are followed, and some of the fourth is achieved, you’ll start seeing holistic transformations in your product team’s cyber-resilience and will have improved daily quality of products and the culture to value cybersecurity. Tackling how to scale is another topic for another day … what additions or tricks do you do in post-mortem?
Never seen The DevOps Audit Defense toolkit? Here is a link.
Here is a link to the presentation Gene Kim and I gave on Agile & Audit: http://www.slideshare.net/realgenekim/keeping-the-auditor-away
Finally, looking to get neck deep in DevOps, a great new book by Gene and team was recently released—check it out!