Moving to SecDevOps: A primer

Over the past few years, federal agencies have become more and more comfortable with Agile development methodology and related DevOps practices. Adopting these ideas means that the developers improve software incrementally and continuously, rather than offering major updates only occasionally.
The term “DevOps” derives from software development and IT operations. In practice, it means continuous integration, automated testing, continuous delivery and continuous deployment.
DevOps alone, however, does not address cybersecurity. Therefore, those incremental improvements may or may not enhance the overall security of a solution. It depends, in part, on the organization’s policies and practices, and in part, on the awareness of individual developers to ensure that code changes do not introduce vulnerabilities. 
In federal IT, security validation is where an IT organization is likely to halt progress on Agile development. Due to a number of factors, including a lack of security personnel proficient in Agile and DevOps and the overall dearth of cybersecurity professionals available to hire, validating security takes more time. 

SecDevOps: The key to speed

The potential solution for this bottleneck is SecDevOps. While it is often called DevSecOps, we and our CGI colleagues prefer to put security first in the order to emphasize its importance. Either way, the term emphasizes that an organization treats security with as much importance as development and operations. 
An Agile development IT operation using SecDevOps as its guiding principle, puts these three practices at the forefront: 

1. A secure architecture is at the foundation. Designing for security first eliminates – or at least, significantly reduces – the level of effort that after-the-fact compliance demands. The organization creates a culture that keeps secure coding standards top of mind. If the work product lacks those standards, the organization will not call it finished. Security testing happens early too, during build integration. 
2. Product teams are in charge. Using automated security testing as an integral part of the development pipeline, product teams get early alerts and insight into potential vulnerabilities. True to the Agile philosophy, this gives the teams an opportunity to adjust and refine the design iteratively until the vulnerabilities are eliminated. 
3. Security professionals are involved early. Automated testing means testing is never overlooked, even when developers are more concerned about the speed. To support testing, security professionals are deeply involved in the development process, helping create the appropriate rules and parameters. If the final product needs to meet specific requirements such as FedRAMP, the security experts must ensure that the testing regimen evaluates the relevant factors. 

The culture shift

SecDevOps requires the people involved to take a more holistic view of a project than they might be used to. It is crucial that everyone is equally concerned with the speed of development and security.  
Cultural changes are often the hardest to make, but Agile developers are already accustomed to flexibility and rapidly-changing conditions. As agency IT shops enact the process and policy changes needed to support SecDevOps, leaders should communicate transparently to the development teams and the security professionals to ensure they understand how they should respond. 
Our colleague Bryan Hall recommends five key steps for an organization to move into a SecDevOps mindset with minimal difficulty. Read his post for more detail, but in summary, they are: 

1. Communicate early and often. 
2. Establish a technology advisory review board. 
3. Start with a clearing session to identify pain points.
4. Determine why those pain points exist and how to address them.
5. Start experimenting with small changes. 

It is true that shifting to a SecDevOps paradigm, even if the agency is already using DevOps, is a significant change and it can be disorienting. Bringing security into such a central and early role can cause some difficulty along the way, but in our experience, the reward is worth the pain. 
For more detail and insight on this topic, download the CGI Federal white paper, “Finding the On-Ramp to the SecDevOps Highway.”