Open Source: DevOps Security’s Best Teacher

According to the 2017 DevSecOps Global Skills Survey, 76 percent of developers lament the lack of security training in formal curriculums. Most (65 percent) end up learning on the job instead, but that can be difficult, as 7 out of 10 developers say their employers lack the resources or will to deliver adequate training. Yet, almost 40 percent of organizations can’t find talent with more than passing knowledge about security testing.

Stopping this merry-go-round and solving the resulting security skills gap calls for a new perspective—one that open source has already brought into sharp focus.

Here are three lessons learned from open source that can help you transition successfully from DevOps to DevSecOps.

Lesson No. 1: Really Change the Corporate Culture

Organizations struggled mightily to resist change to their traditional hierarchical order before open source took over the world. But that “bark orders downstream” management approach eventually proved to be nothing more than an ego-driven bottleneck corked by a single point of failure.

By comparison, an open-source culture is more collaborative and cooperative, with fewer pecking-order issues. Given the very purpose of DevSecOps is to develop the mindset that everyone is responsible for security, an open culture is far more conducive to building and fanning security passions than a hierarchical one is. The good news is that many companies are transitioning to an open culture already, making it easier—at least theoretically—to expand the thinking and processes to security as well.

Make security a top priority in everyone’s job, but follow that with a firm commitment to meaningful and continuous training within an open environment, where sharing information and collaborating are expected and rewarded.

“With major industry breaches further highlighting the need to integrate security into the DevOps process, organizations need to ensure that adequate security training is embedded in their DNA,” said Alan Shimel, editor in chief of DevOps.com, in a statement to the press. “As formal education isn’t keeping up with the need for security, organizations need to fill the gap with increased support for education.”

Some good ways to train developers in security skills are apprentice and mentorship programs, company provided internal or external training classes, paid online training and paid conference attendances. To encourage and even enforce the training, look for ways to shine the light on top and/or consistent security bake-ins and bestow ongoing respect for those who perform well and teach others. After all, an open culture means transparency and sharing. Strive for both throughout the company ranks.

Lesson No. 2: Revamp Rewards and Show Some Respect

Despite what you’ve heard in open-source circles, money does matter. If you think it doesn’t, offer wages and benefits on the cheap and see how fast you lose all your best developers.

However, money isn’t everything, so sweeten the deal with a few extras, too. Luckily, many of those deal sweeteners cost little to nothing.

In the open-source world, developers strive to earn respect from their peers and the right to influence the project. Look to create ways developers can earn respect for and from their teams and the company at large. Make a big deal out of their contributions, because security achieved is a big deal for the company.

Internal and external contests requiring and proving security skills are great motivators, too, such as the Global Cyberlympics and the many other cybercompetitions. Just keep in mind that a lot of developers are builders, not hackers, so look to develop contests or achievement rewards based more on building secure apps.

Lesson No. 3: Make Cross-Business Contributions a Job Priority

Before developers can weave security into their daily work, they need the right tools, great technical support and the freedom to try new ways of doing things.

“I think it’s all too easy for us as security people to say, ‘Developers are stupid and they’re doing it wrong,’” said Daniel Cuthbert, a longtime security researcher, expert in penetration testing and COO at security consultancy SensePost, remarking in the DevSecOps Global Skills Survey. “Actually, we can learn a lot from how they’re doing it. We’ve got to evolve as well.”

The survey also found that “countless penetration tests with no clear action items for developers or scans that aren’t streamlined into continuous delivery tools simply won’t fly in a DevSecOps model.”

In a more collaborative and respectful environment, developers, operations and security folks all evolve and flourish. DevSecOps is really all about everyone contributing something to make projects stronger and better for everyone else—just like it works in open-source communities.

Further, when developers do find successful ways to make apps more secure, they should be required to share that new knowledge with other teams in other parts of the business. That ensures the entire organization profits from that knowledge and the developer or team who came up with it are given the appropriate respect for the achievement.

“It’s about getting out of the mode of being the ‘CS-nO’–the guy who says ‘no’ to everything and getting into the mode of helping developers and operations teams get their stuff done quicker,” said Michael Feiertag, CEO of security startup tCell, in the survey report.

“That’s, I think, the most important thing for security folks as a whole to really internalize. Because frankly, if you move faster, you can be more secure. You just have to iterate it on your security just as you are on your software.”