DevSecOps: If You Build It, They Will Come

Spring training for Major League Baseball in the United States has begun. Millions of people share my love for baseball; however, the same can’t be said for security and compliance—well, at least not yet. Perhaps one day.

Recent Posts By Derek E. Weeks

• Reducing Risk in Applications Using Docker Containers
• 200 Billion Downloads Can’t Be Wrong
• Challenges in Leading a DevOps Team at a Fortune 100 Company

More from Derek E. Weeks

Related Posts

• From a Commodore 64 to DevSecOps
• DevSecOps: Embedding a Security Practice into your DevOps Approach
• Implementing DevSecOps in the Mainframe-Driven Enterprise

Related Categories
• Blogs
• DevSecOps
• Enterprise DevOps

Related Topics
• all day devops
• devsecops
• infrastructure
• security

Show more

Show less

Much like in the immortal baseball movie, “Field of Dreams,” if you build a friendly security and compliance system, the developers and operators will come. At least, that is the contention of Julie Tsai (@446688), senior director of security operations at Box.

I first met Julie at the RSA conference’s DevSecOps Days three years ago and have been following her musings since. I recently watched Julie’s presentation, “Build It and They Will Come-pliant: DevSecOps in the Real World,” from All Day DevOps. Here is a summary of what I learned:

Good Architecture Sustains Sound Applications and Security

Julie’s contention is that you can build a system that might actually bring a little joy to developers and operators, and it starts with realizing that, at the end of the day, we are all looking for good architecture. Good architecture sustains sound applications and security. It makes everyone’s life easier, so we all have a little time for baseball (or football or board games or even curling).

The good news is that DevOps organizations are ahead of the game. Julie pointed out the old joke, “DevOps … isn’t that just where you give the keys to the developers?” Well, no, and it isn’t a specific tool or deployment. For security, it is about being lean on requirements, building compliance in from the start and integrating it across the development life cycle so you can build something that is secure and performant. Besides these being best practices for developers, they also allow you to use your code and policies to appease your auditors, as compliance is built-in. Bottom line: DevOps puts the rigor around security and compliance.

It Takes a DevSecOps Village

Julie pointed out a couple of takeaways from DevOps that help security and compliance:

 
1. You can own a problem and be an individual leader. You can think globally but act locally by seeing across the silos and bringing a message of empowerment.
 
2. It provides a path toward integration to internalize other groups’ values, bring them into your own words and ways and mutually reinforce and thrive. It also informs how people work together.
 

Remove Friction to Scale DevSecOps

The goal here is to ultimately get us something easier to scale and maintain and be compliant and secure. Julie outlines steps to get you closer to this idyllic system:

 
1. Use configuration management because it leads to precision and more unified and verifiable work.
 
2. Get rid of whatever you can to eliminate mistake factors. You will also get to a place to streamline workflow so there are fewer mistakes.
 
3. Extend infrastructure as code. It can become configuration as policy and your audit trail can connect the intent to the execution.
 

DevSecOps: Where Things Go Wrong

With these in place, Julie contends you need to realize the world isn’t perfect, so you need to build a system that injects security and compliance where it is most effective. To find the areas in the development life cycle that it is important to inject, ask these questions:

 
1. Where is someone intending to make a change?
 
2. When you are releasing it live into your production stack?
 
3. What is happening when something isn’t going as expected? Is it being changed back to where you need it to be, are you monitoring it, or are you doing nothing?
 

DevSecOps: String Together Wins

You also need to make it simple. She quoted Mark Burgess, “IT has a detail sickness,” noting that, “We are often burdened by complexity—we love it and dig right in, but it is important to understand the level of granularity you need. You need to look for the things that can make a critical uplift that gives you an incremental improvement. String together the wins.”

In the end, Julie said to “try to reach a goal of being visible and streamlined and leverage the automation and technology in a way that is joyful in how we use it. It is not about a rigid process that is going to die soon; it is about what we are trying to bring to the whole world so that we work more efficiently and more technical.”

The entirety of Julie’s presentation—including some live Q&A—is available here. If you missed any of the other 100 speakers at All Day DevOps, you can find their 30-minute presentations here.

Featured eBook

The Application Security Guide for Modern Operations Teams

There’s no question – operations teams have seen major benefits from DevOps. Yet, many security teams are still stuck relying on true-but-tired defensive measures from the days of slow moving IT, while operations has radically transformed into a fast-moving IT delivery pipeline. However, there is a better way for both ... Read More