Security isn’t always an obvious must-have when it comes to the software development lifecycle.
Stronger protection is sometimes associated with slowed-down processes and weaker innovation. But Chief Information Security Officer Subhajit Deb disagrees.
That’s why his team at Envoy Global decided to embrace DevSecOps, a practice that integrates security testing at every stage of software development. For Deb, this approach includes teaching developers to code with a security-first mindset, which prevents issues from becoming bigger problems later on.
“Security became a shared responsibility, enabling developers to identify and fix security issues in near real time rather than ‘bolting on’ security at the end,” he said.
Of course, instilling a security-first mindset doesn’t just happen organically. Teams must leverage the right tools to facilitate seamless collaboration across development, security and IT operations.
The team at Amount leverages various technologies, including Terraform Enterprise, to ensure its approach to DevSecOps is successful, according to SecOps Manager Don Stewart. Terraform helps the team automate the deployment and management of apps running on platforms such as Kubernetes. Stewart’s team also uses CrowdStrike Falcon Cloud Workload Protection, as it’s proven to be effective at identifying and stopping malicious attacks at multiple points as well as identifying indicators of misconfiguration.
While employing powerful technology is key to DevSecOps, Stewart explained that it’s equally important for leaders to show their teams that security is a necessity, not a hurdle. By creating a sense of structure surrounding DevSecOps, leaders can make it easier for teams to fully embrace the practice.
“Having regularly scheduled meetings and training sessions and sharing our processes and workflows have allowed our teams to more effectively identify vulnerabilities, improve collaboration, reduce operational costs and enhance our compliance, which reduces potential risks,” Stewart said.
Below, Deb and Stewart describe how their companies approach DevSecOps, the tools they use and how they overcome challenges associated with the practice.
Envoy Global’s enterprise immigration management platform helps companies hire and manage an international workforce.
How does Envoy Global approach DevSecOps, and what are some fundamental best practices you swear by?
The fundamental approach Envoy adopted for DevSecOps is to harmonize development practices and tools with IT operations and security. This approach included integration of culture, architecture, design, automation and security principles, with every stakeholder having a role to play.
We infused security early and intentionally, from planning and design to coding, building, testing and release, with real-time continuous feedback loops and insights. We trained development teams to code with security in mind, test during the build phase and catch and fix vulnerabilities before they go too far into production. With this altered value chain, we saw ongoing and flexible collaboration between development, testing and releases, focusing on speed and velocity without compromising security. Fundamental best practices we found valuable include frequent architectural reviews, communication and feedback and standardizing the build, deployment and monitoring process.
What are the tools in your tech stack that allow DevSecOps to be successful, and why did you turn to these tools?
Our tools were selected thoughtfully with several factors in consideration: customizability, ease of integration, support, nativity to the core stack, automation, orchestration and compliance readiness. We use Azure and other third-party tools to ensure all systems are built in each environment with consistency and configuration based on company policies. We use a variety of key tools, including Slack and JIRA for planning and collaboration, container and cloud security, threat modeling, application security testing, provisioning and configuration management, source code scanning, synthetic monitoring and observability monitoring.
What challenges are there to adopting DevSecOps, and how can other companies navigate them?
Two notable challenges most organizations need to navigate through while adopting DevSecOps are cultural shifts and complex tool integrations. A DevSecOps approach requires a huge culture shift within the organization, which challenges the way many departments have operated in the past. Some people believe that better protection slows down processes and restricts innovation. With thorough training and clear goal-setting, teams can overcome cultural obstacles while fostering alignment more quickly toward a security-first mindset.
With thorough training and clear goal-setting, teams can overcome cultural obstacles while fostering alignment more quickly toward a security-first mindset.”
Most DevOps toolchains are produced by different vendors, and adding security tools into that pipeline can create an additional challenge. Consolidating and orchestrating the output in a “single pane of glass” is often the key to ensuring clear intent, full visibility, decreased cost, increased pace and better ROI.
Amount’s platform enables financial institutions to provide digital banking services and point-of-sale financing.
How does Amount approach DevSecOps?
At Amount, we continuously improve our processes and workflows to stay current as technology rapidly grows and develops. The security operations and infrastructure teams collaborate to align on business-driven security services and ensure that security is built into applications rather than ad-hoc or manually.
BEST PRACTICES ON STEWART’S TEAM
- Threat modeling and risk assessments — understanding the “who, what, when, where and why” allows us to outline possible attack scenarios and vulnerabilities and identify security gaps.
- “The early bird gets the worm” — this idea places security at the front of the pipeline. It requires software and security engineers to collaborate at the start of the development lifecycle and allows their teams to identify risks more quickly and take action earlier.
- Enablement and workplace culture — create a culture that embraces change and sees security as an aid instead of a hurdle is essential for DevSecOps longevity. Appropriate best practices and technologies are continually being developed and established to help developers gain the knowledge needed to create a unified security effort.
What are the tools in your tech stack that allow DevSecOps to be successful, and why did you turn to these tools?
Amount uses Terraform Enterprise as our “infrastructure as code” tool, which is best used for automating deployment and management of apps running on platforms such as Kubernetes. When vetting tools, we found that TFE provided the most flexible model, allowing us to represent physical hardware, virtual machines, containers and more. This tool assists with reducing time to provision and managing resources of cloud systems and also allows for quick and reliable deployments to the pipeline.
Sumologic has been our go-to security incident event management tool, as it allows us to centralize, analyze and organize our logs in a way that fits with our team workflow for monitoring and incident response.
CrowdStrike Falcon Cloud Workload Protection assists with automated discovery and protection of all workloads in the cloud. This tool is capable of identifying and stopping malicious attacks at multiple points as well as identifying indicators of misconfiguration. As a customer of Falcon for its antivirus and endpoint detection and response, we found that the cloud protection tool allowed us to gain better visibility and be more proactive when discovering and investigating security events and incidents.
What challenges are there to adopting DevSecOps, and how can other companies navigate them?
Some of the challenges I’ve noticed with adopting DevSecOps is that it can take some time for teams to fully buy into the improvement of information security. Security can be seen as a hurdle or checkpoint at times, and it’s up to leaders to show that implementing DevSecOps will benefit the organization. As the year has progressed, the security team has been working more closely with our DevOps team and developing our TFE skills to add security earlier in the pipeline and become more proactive rather than reactive.
