How to avoid DevSecOps indigestion

In a perfect world, DevSecOps spreads security practices onto the software development and delivery processes and gets your software out the door more efficiently. 

What could possibly go wrong? Lots, says Jimmy Xu, leader of Trace3’s DevSecOps practice, in the latest Code Patrol podcast.

Xu is the DevSecOps director at Trace3 — one of Contrast Security’s core channel partners when it comes to Application Security (AppSec) consulting, advisory and implementation services. As the leader of Trace3’s DevSecOps practice, Jimmy has seen many examples of how DevSecOps can be pulled off successfully … and also where it can nosedive. 

Xu had recently spoken about DevSecOps with our co-founder and CTO, Jeff Williams, in a Fireside Chat during which the two visionaries talked about the present and future of code security. Jimmy was kind enough to drop by the podcast to go even deeper about how you get those three elements — development, security and operations — to mesh in a way that results in efficiency in the development process and applications that are secure for users.

Good and bad ways to do DevSecOps

Xu has certainly seen examples of DevSecOps getting bumpy. Too often, overwhelmed security teams see code security as something that can be offloaded to the DevOps team so that they can have one less responsibility on their plate. They acquire tools — often way too many of them — and dump them on developers’ plates before they vamoose. 

For Xu, a successful approach to DevSecOps is the opposite of that. It requires all the stakeholders in the process to change their mindset. Rather than operating in silos and having distinct responsibilities for development, security and operations, teams need to move toward an attitude of empowerment, empathy and two-way trust.

Communication is key in making this successful. Security team members need to coach developers in how to use security tools to make their jobs easier, rather than harder — and be there for them as they try to make it work in real life. Security and development leaders need to work together to cultivate security champions on the development team who can be cheerleaders for best practices with their colleagues.

Making an effective security champion

The identification and nurturing of security champions has been formalized into a program at some companies, but the launch can have mixed results. In Jimmy’s view, the differentiator is the program focus. Some security champion programs focus too much on education and training, meaning the champions teach their colleagues how to follow best practices or use a tool, but the security team remains in charge.

In contrast to that approach, the best champion programs empower these developers to make actual security decisions for their team. After all, they have knowledge that the security team doesn’t have. In some cases, a vulnerability might have a high Common Vulnerability Scoring System (CVSS) score, but the champion knows that the vulnerability isn’t exploitable in the application. Companies that do this kind of intelligent threat modeling can go beyond the CVSS score to identify the actual risk the vulnerability poses in a specific application or application programming interface. Security champions on the development team can be a key part of that approach.

Check out the podcast to hear more nuggets of wisdom from someone who’s successfully spread security through DevOps at many organizations and knows what makes it go down smooth vs. what makes such programs choke.