Achieving a culture of secure dev ops doesn’t happen overnight, but it is possible when the leadership of an organization makes the brave, conscious decision to lead their organizations on a journey to examine processes and find the right platform.
Perhaps you dream of the day when your operations and development teams can work together with agility, quickly producing high-quality code and involving your security team throughout the process.
What about leading development, operations and security teams that communicate and empathize with each other’s job challenges instead of managing three siloed groups that only communicate when sending nasty emails or ticket orders to each other at 3 a.m.?
Achieving a culture of secure dev ops doesn’t happen overnight, but it is possible when the leadership of an organization makes the brave, conscious decision to lead their organization on a journey to examine processes, make changes to encourage teams to work together and find the right platform.
Tariq Islam, senior specialist solutions architect of Red Hat, Inc., shared an example of a federal government agency that made a huge cultural shift to successfully move toward secure dev ops. Islam said the agency, while similar to other federal agencies he’s encountered, had something that set them apart:
“When it came to modernization of their infrastructure and applications,” said Islam, “the agency took a top-down approach. Their leadership was brave enough to embark on a lot of different cultural changes that needed to be made.”
Islam was quick to point out that while a lot of different tech options could have enabled this cultural change, it was more about the organization’s top-level executives leading the charge in adopting a new way of doing things that made their efforts successful. Islam explained how this agency made this vital change to achieve a culture of more secure dev ops, protecting themselves from internal and external security threats.
The agency implemented the security principle of least privilege, meaning “actors only have minimum access to do their job and do it well,” said Islam. Everything around their dev ops model, culture, processes, people and tools adopted from Red Hat followed this security axiom. Any additional user access required approval, justification and an auditing trail to maximize security.
To achieve a culture of secure dev ops, security must be integrated through the life cycle of a product, not just at the beginning, end or months after a product is shipped and put into operation. The agency was a marquis example, said Islam, of making “security first, security last and security in between everything else.” He said this was done by the leadership examining everything the organization was doing and determining how security could be interwoven through processes.
In working toward a culture of secure dev ops, Islam said the agency’s development, operations and security teams developed an implicit trust in each other that hadn’t existed historically. This “marriage” or confluence between the three groups was enabled by tech but was implemented by bringing the teams together, not just on paper but physically as well. Islam said the leadership changed office space and structure, improving communication to help things get things done faster and become more automated.
Every team’s input is important
Islam said having the right platform essentially out of the box provides an organization with a jump-start to make the cultural changes toward secure dev ops. Finding the right platform requires a rigorous selection process and input from every team. The agency asked the development, operations and security teams to participate in an evaluation of various platforms and together chose the best tool with the requisite features to meet their needs and make the changes they wanted to make.
Choosing the right platform
Ultimately, Islam said choosing the right platform is crucial in making a shift to secure dev ops. He said one of the biggest mistakes an organization can make is to choose a platform that is immature, untested or unproven.
“You don’t want to be the guinea pig for the new product,” Islam said. When an organization is taking a risk and plans to make a lot of organizational changes, it should choose a platform or product that is credible, well-established, backed by a mature vendor in the industry and able to provide the necessary support and advice. Islam said the government agency in his example ultimately chose Red Hat because it has proven itself over the last several decades, supporting a variety of customers for their mission applications and workloads.
Islam said it’s important to remember that achieving a culture of secure dev ops doesn’t happen overnight; it’s a continuous journey and not a destination. It not only involves perhaps a change to the right product or platform but a commitment to interweaving security into every step of the process and every part of the product.
“It’s a different way of looking at security,” said Islam. “Security becomes a first class citizen; a proactive measure instead of a reactive measure.”