The latest report from Coalfire’s prestigious Cloud Advisory Board (CAB), consisting of some of the world’s most experienced C-level cyber leaders, and cloud security thought leaders from Coalfire, provides some of the most significant insight and timely advice for cybersecurity leaders in 2022 and beyond. The smartest path of DevSecOps transformation Securealities report roadmaps the journey to continuous integration and deployment (CI/CD). Simply put, there will be nothing more important to securing the enterprise, its customers, and the economy itself than building security directly into application development and the product lifecycle from the first scrum to final decommissioning. This means development and security teams working together every step of the way within the new discipline of DevSecOps.
From skills shortages to vulnerable supply chains, we’re facing down expanding and existential threats. If your programmers and cyber pros aren’t playing well together today, you’re behind the curve.
Here are a few takeaways to help you prepare and enable your DevSecOps Transformation that Mark Weatherford (Coalfire Cloud Advisory Board Member and board advisor to public and private organizations) and I highlight in the Securealities report.
As you prepare, ensure focus and investment in these key areas:
- Define and align your security vision
- Commit to train, train, train
- Plan for and invest in automation
- Enlist AppSec Champions for support and scalability
1) Define and align your security vision
The CISO must establish and communicate their vision. This is best done by taking a few key steps:
- First, gauge security awareness and interest within the organization’s leadership
- Articulate what “secure” means, why you want to be secure, and get others to believe in it
- Coach fellow managers and executives into alignment between security and C-suite teams, cultivate a regular audience with the board, and get them on board
- Be sure to establish expectations, policies, and a culture that orbits around security
Even though they are often viewed as a distraction, training programs are mission-critical, and their importance in forwarding a DevSecOps culture cannot be over-emphasized. Start your program out on the right foot:
- Make it quick and convenient with sessions that are short and easy to attend
- Develop skills and make it fun
- Encourage subtle competition between product development teams
- Integrate training between development and security to bring them closer to becoming a unified team
- Ensure training is mandatory for everyone including managers, designers, engineers, etc.
- Bring in third-party trainers to reinforce new skills and methods
- Encourage developers to build skills, add qualifications to their LinkedIn profiles, and become stand-out experts in their jobs
3) AppSec Champions
We’ve seen the emergence of AppSec Champions Programs over the years, but in preparing to integrate effective DevSecOps business practices, these programs have become indispensable in encouraging developers to write secure software. Start with a single AppSec Champion to drive the process. Create a little competition in getting your “ninjas” to support your program by integrating a champions program within your teams.
These are typically led by smaller AppSec teams operating out of a centralized security organization. They exercise influence over software developers who report to managers in a separate reporting line and help to leverage dev teams to consistently build more resilient, more defensible, and less vulnerable software. They do not have managerial control so much as they are there to influence behavior.
Application development, compliance, and testing are key to integrating security into every step of the secure product lifecycle. There are many automation opportunities available, but one that is critical and often overlooked while preparing for DevSecOps transformation involves Application Security Orchestration and Correlation (ASOC). ASOC helps development and security teams streamline processes that correlate, discover, and de-duplicate disparate testing results; validate and prioritize vulnerabilities; and manage remediation.
Automating around application and vulnerability management systems across a wide range of integrated tools is the new security imperative. Organizations must create a new vision for everyone, commit the resources, and ensure that the concept of maturity is clearly defined.
Security is no longer downstream of creative product invention and application development, but rather integral to the process. It’s time to model the threats and identify and fix vulnerabilities faster. It’s time to embed security into every aspect and at the earliest stages of the application development cycle. The full report provides additional insights and guidance on how best to do this! On the smartest path to DevSecOps transformation, the best advice for security and executive leadership teams is to prepare, move forward, and never look back.