Building security into DevOps is more important than ever. The 2021 Upskilling Enterprise DevOps Skills Report reported that 56 percent of survey respondents said DevSecOps is a must-have in the automation tool category. However, a DevSecOps approach is not about simply adding security tools and practices. Like any DevOps approach, it needs to be built into the culture, processes, and technology.
When DevSecOps isn’t strategically implemented across the organization, it’s easy to hit security roadblocks or issues. The best bet for success is to avoid these potential issues from the get-go. We asked experts including SKILup Day: DevSecOps participants and DevOps Institute Ambassadors to share common DevSecOps pitfalls. Here’s what they say you should avoid:
1. Trying to do too much at once
“The key to getting there is to take small steps. It is helpful to start with a pilot project: Identify a project and cross-functional team (app dev, ops, security) to implement a DevSecOps pipeline and process. Identify goals and use cases and prepare to iterate. Once the team is working well, document the implementation and the results, including business value (such as faster time to market or ability to address security issues up front).” -Kirsten Newcomer, director, cloud security strategy, Red Hat
[ How can automation free up more staff time for innovation? Get the free eBook: Managing IT with Automation. ]
2. Adding scanning tools to parts of a CI/CD pipe without a strategy for using the results of those scans
“Scanning for the sake of scanning generally creates a false sense of security and will usually result in more noise. It is important to think through how issues found in security scans turn into activities that lead to remediation.” -Rob Cuddy, global application security evangelist, HCL Technologies
[ Read also: DevSecOps pipelines and tools: What you need to know .]
3. Avoiding cultural baggage
“When teams began implementing DevOps over a decade ago, the must-execute item was culture. DevOps was fundamentally built around collaboration, empathy, and innovation. Teams that failed to get the culture right struggled to implement the tactical items of building, testing, deploying, and running applications continuously.
“DevSecOps is no different, though there may be even more cultural baggage for teams to work through. Developers and security have historically been aligned to different goals, which have put them at odds. Devs were focused on product development velocity, while security was focused on decreasing risk.
Security is just another part of code quality, and all teams have a vested stake in shipping the best code they can. Teams that rally around this and build a culture accordingly will thrive.
“The truth is, security is just another part of code quality, and all teams have a vested stake in shipping the best code they can. Teams that rally around this and build a culture accordingly will thrive. Those that are focused on tactical implementation without examining culture and all that comes with it will struggle.” -Joni Klippert, co-founder and CEO, StackHawk
4. Not understanding the tools, jumping in too quickly, and disrupting the engineering workflow
“To ensure a higher success rate, slowly introduce one security control at a time and ensure the results are valuable to the team. Continuously monitor and improve security processes to minimize disruptions. This includes evaluating results, fine-tuning scanners, and working directly with the engineering teams to minimize false positives. Failing to make this culture transition is the primary reason that DevSecOps fails.
“Shift left means at the beginning of a software development project or product, make sure that all roles and responsibilities are clearly and concisely delegated to each individual who is involved. Bring DevSecOps and security where people are already working. Make it simple to kick off security processes within the tools your engineers are already using.” -Dheeraj Nayal, global community ambassador & region head – Asia Pacific, Middle East and Africa region, DevOps Institute
[ Take a deeper dive into all things DevSecOps. Register to attend SKILup Day: DevSecOps on August 12.]
5. Not getting senior leadership buy-in
“DevSecOps, just like DevOps, is not a team or role but rather culture. Not addressing the culture aspect and just adding a security/DevSecOps engineer role to the existing teams/processes is not the same as adopting DevSecOps and is not likely to yield the expected benefits. Culture often stems from the top, so to get culture right, you need the buy-in of DevSecOps from senior leadership.” -David Slater, product value stream lead – cloud, Tasktop
6. Automation security checks into the delivery pipeline but does not consider the feedback loop
“When dealing with older codebases, companies may find there are a large number of defects identified. The default of “create a Jira ticket for each defect” is not a viable response. The other common pitfall I encounter is underestimating the time it will take to adopt new practices. For DevSecOps to be successful, engaging the delivery teams in the solution is essential.” -Peter Maddison, founder, Xodiac
7. The acceptance of security without the integration of security
“This means a tool or process is accepted without ever being discussed. The team implements the change but does not collaborate on the meaning of that change. Security should never be shown as a hard stop. Instead, the discussion for development should be: Does the delivery introduce new risk?
“On the ops side, the same discussions apply: If a security hole is found, what can we do to make the pain stop first, and then how can we prevent the pain in the future? As with any DevOps pitfall, once an area is found, one should use the retrospective process to identify where improvements can be made in the future.” -Mark Peters, technical lead, Novetta
8. Giving 100 percent clearance to security findings once an artifact has passed the gates of DevSecOps
“DevSecOps is not a destination but a continuous journey. As long as this discipline is baked into DevSecOps, it wouldn’t become a pitfall.” -Sharath Dodda, IT development manager, TD
[ How do containers and Kubernetes help manage risk? Read also: Ten Layers of Container Security. ]