RSAC DevOps Connect: Developing DevSecOps Strategies

This year’s RSAC 2018 featured a DevOps Connect: DevSecOps Day. This event took place on April 16^th and was hosted by DevOps.com and Security Boulevard. DevSecOps is an important development within the DevOps community, and this event brought together minds throughout the industry to talk about their DevSecOps strategies.

The conference featured speakers from companies like Nike, Sonatype, Intuit, Bandai Namco, etc. These speakers went over their journey in securing DevOps. Session titles included “Zero to Ninety in Securing DevOps,” “DevSecOps – It’s a People Thing,” etc. The full list can be seen here.

Security and development mingling

Security Boulevard published an article featuring some of the key points that were discussed at the event. Specifically, they talked about J. Wolfgang Goerlich, VP for Strategic Security Programs at CBI. Goerlich discussed a plan to implement DevSecOps in 90 days.

Goerlich talks about security professionals needing to be more in touch with developers, but I think that this needs to go both ways. Developers see security as a hindrance to the speedy benefits of security. Thus, security needs to work faster and cater to what developers need, as is Goerlich’s point. However, developers also need to recognize what security wants from them and make this security process collaborative.

DevSecOps strategies

The 90-day plan is divided into three 30-day phases. The first 30 days is spent learning, the next is on assessing, and the final 30 are spent planning.

The learning phase is spent elaborating on what your development team means by “DevOps.” Each team implements and sees DevOps in a different way. Goerlich mentions teams need to figure out what automation processes they have and what they need. This is an occasionally overlooked aspect of DevOps. The main emphasis many publications and research on DevOps is culture. Teams need culture, of course, but proper cultural practices are supplemented by automation and other beneficial DevOps tools.

The assessment phase is assessing what tools you might what to add. Figuring out what needs to be done is important, as each company will have different goals. DevOps and DevSecOps are different for every company. For example, some companies are more reliant on containers than others. So, as far as improving security, it would be beneficial to find a company that provides a proper container management platform. Our Free Container Platform Buyer’s Guide can help you find out exactly what you need.

The final phase is planning. This is a much more definitive component than the other two phases. The other two are more hypothetical, but here your team needs to figure out how to determine success. This should be shared amongst your various IT teams. Once your measurements are set, you should work towards accomplishing these goals in quick increments. It’s much easier to maintain momentum when you have fast accomplishments.