Software development serves as the lifeline for thriving organizations, whether it’s for enterprise use or consumers. Cybersecurity threats continue to increase in volume and severity, threatening the livelihood of software vendor companies and the clients who use their platforms. Equifax, Capital One, Uber, Yahoo… the list goes on and on of companies whose sensitive data was compromised by hackers.
More and more, DevOps teams are integrating security into their software development life-cycle (SDLC), while adopting Agile practices. This emerging approach is known as DevSecOps, compelling organizations to address threats and vulnerabilities early in the SDLC planning stages. DevSecOps also reduces the number of patches or remediations needed later on, so companies can focus on enhancements and innovation.
The DevSecOps mindset is that everyone is responsible for security across the organizations. This mindset is strengthened by having the right people and processes in place, supplemented by automation tools. Executives and stakeholders are advised to stay engaged with their organization’s DevSecOps program from start to finish to ensure the enterprise landscape is protected.
In this article, I offer recommendations and advice on how to build an effective DevSecOps team that “shifts security left.” It means addressing security requirements early on in the software delivery process. “Shift left security” is not only inclusive of architectural threats, but also threats to infrastructure, networks and operations.
Automate When You Can
Automation is an important part of DevSecOps. It can help to streamline processes and harden the Continuous Integration and Continuous Development (CI/CD) pipeline. Automation helps to reduce human error, while also reducing the time spent on manual processes. Configuring, integrating, testing, and orchestrating can be automated with the right platform.
Recruit DevSecOps Teams with the Right Skill Set
DevSecOps is an evolving, growing field. Finding skilled talent that has a working knowledge of DevSecOps isn’t always straightforward—there are, after all, three important factors: development, security and operations. When possible, balance your team with professionals who are strong in one or more of the disciplines, in addition to having an understanding of threat-modeling automation tools. You may find a prospective employee who has already worked in DevSecOps. In that case, s/he can help other team members to develop their skill sets.
How Can You Find the Right DevSecOps Candidate?
Broaden your candidate search beyond your backyard—the right candidate may require relocating or remote work. For the most highly sought-after talent, if cost is a factor, then consider employee benefits. Opportunities for growth, and access to cutting-edge tools and technology, are attractive to the right people.
Appoint Key Architects to Lead Teams Involved in DevSecOps
Assemble a team of senior architects, who serve as the driving force in DevSecOps. Senior architects will possess a level of mastery in security best practices, which they will clearly articulate and enforce. The senior architects will need to navigate through business, operations and security, including the entire IT ecosystem and related security policies. They will have attained proficiency in threat modeling to enforce shift left processes. The ability to train and mentor others is a big plus as it will encourage junior staff to apply best practices.
Time-to-Market Can Wait for DevSecOps Security
Let’s face it: Security takes time, effort and resources. It is a myth, however, that prioritizing security threatens production deadlines. When an organization shifts left and implements a DevSecOps program, they will do so through the right combination of people, processes and technology.
Archie Agarwal is the founder and CEO of ThreatModeler. With more than 20 years of real-world experience in threat and risk analysis, Archie has been instrumental in successfully implementing secure software development processes at a number of Fortune 1000 companies to minimize their exposure to cyber threats and mitigate risks.