- Establishing a security champions program
- Enabling through training
- Improving empathy and cooperation
- Reinforcing success
Establishing a security champions program
The increased pace of DevOps delivery helps boost the frequency of product releases but often at the cost of neglecting security practices. Creating a security champions program in which security champions within the development team are assigned and trained, ensures security remains a priority throughout the software delivery process. Security champions are responsible for coordinating, tracking, and reporting security issues for the project and help to make decisions about when to engage the Security Team. Some of the most important duties of the security champion include the following:
- Ensure that security is not a blocker on active development or reviews.
- Be empowered to make decisions (but be sure they will not be held accountable as the sole cause for security issues that arise from the dev team).
- Work with AppSec team on mitigations strategies.
- Help with QA and Testing.
- Write tests (from unit tests to integration tests).
- Help with development of CI (Continuous Integration) environments.
- Keep track of and stay up to date on modern security attacks and defences.
- Introduce a body of knowledge from organizations, for example, OWASP (Top 10, Application Security Verification Standard, Testing Guide etc.).
- Working in collaboration with operations and developers to align monitoring and logging with code errors and exceptions.
For more information about establishing or growing a Security Champions program, check out episode #72 of The Secure Developer Podcast.
Enabling through training
A successful DevSecOps programme also invests in good training and professional development for existing dev team members and new hires. Although software developers are typically not meant to become professional pentesters, it is still valuable for them to learn about the attacker’s perspective and about practical hacking exercises and vulnerable applications. Minimum topics that should be included in a security training for devops are threat modeling, secure coding practices, vulnerability concepts, and vulnerability prioritization.
Traditional training methods, such as computer-based and instructor-led programs, can be very effective. Good training content must be rooted in company goals, policies, and standards for software security, and should therefore ideally be, to a degree, tailored to the specific needs of the team and the company.
Organizations should also consider less traditional models of training. Gamification, leveraging security challenges, for instance, has been shown to greatly increase engagement and the overall success of training initiatives. Conference attendance, support for achieving industry certifications, and even internal certification programs can also help enhance engagement, and as a by-product, also help with retention of skilled resources.
There is considerable discussion in the security community about a skills gap. Hiring highly skilled resources with lengthy experience can be difficult or even impossible. Investing in the development of a cohesive security team through training programs can help overcome this challenge.
Organizations often find that transitioning employees from related roles, such as development, operational support, network administration, etc. can be an effective roadmap for building out a security team. The organizational and technical experience these resources are a great compliment to traditional security expertise.
The wider organization (everyone):
Security training should not be limited to the security and devops team but should expanded to the whole organization to ensure every aspect of the business is security-aware.
Creating a security awareness program based on the result of the risk assessment ensures that every employee knows how to react when seeing possible threats as well as being familiar with internal security policies.
Lunch and learn sessions organized by both the security and devops teams should aim to disseminate their knowledge in order to collectively work on mock incidents to test incident response runbooks and tailor them further to the process of each team affected. Security awareness challenges, internal security summits, and other creative methods can help reinforce formal training efforts.
Improving empathy and cooperation
The need for understanding between developers and security practitioners has been a topic of conversation for decades. It is often challenging to help security teams be more aware of the challenges that developers face and vice versa. However, the value such understanding creates in terms of implementing successful improvements cannot be understated. In a DevSecOps model, this is of particular importance. Implementation of security tools that create unnecessary strain for developers can be detrimental to the pipeline. Developers introducing technologies that create crucial security risks can cause equally devastating issues.
Building upon the idea of the security champions, organizations can improve successful outcomes by embedding resources cross-functionally. Assigning security resources to work within the development team for a period of time, and developers to work with security teams, helps build this empathy. Those resources can then provide important perspectives to their core teams on the inner-workings and challenges faced by the other teams. This is an effective practice that can also be expanded to operational and even business teams.
Studies have shown that adoption of new programs can be enhanced through the use of positive reinforcement. This is an area that is easily overlooked as organizations roll out their DevSecOps programs. However, it is crucially important to implement a strategy for rewarding the desired behaviors. Just as with training, gamification of the program can help drive strong results. Offering things such as gift cards, company swag or other simple rewards like e-Badges or special recognition, should be considered.
Certainly the strategy for how rewards are earned needs to be tailored to the organization and its culture. There is no one-size-fits-all method or framework for this. However, it is important to consider the goals of implementing a DevSecOps model and which benefits are most crucial to the organization. From there, a reward methodology can be created ensuring that rewarded behaviors contribute to those goals.