6 Practical Steps to Implement DevSecOps in the Cloud

Implementing DevSecOps can help keep cloud environments more secure so you can stay ahead of attackers.

Despite the emergence of digital transformation and the growth in cloud technologies, many organizations still struggle to modernize their operations and security and lack the right tools and processes to fully function in a cloud environment.

However, the tides appear to be turning, with more organizations accepting DevSecOps as the primary method to assist with this shift. According to the “2018 Global Security Trends in the Cloud” report, 45 percent of IT security stakeholders agree that adopting a DevSecOps methodology is one of the primary organizational changes that would help improve security for their cloud environments.

DevSecOps brings security and operations into the development process and helps ensure that everyone within an organization is responsible for security and compliance. Implementing DevSecOps means creating a “security as code” culture, where security is integrated with all phases of DevOps practices—keeping regulations and security top of mind while maintaining speed, agility and the innovation needed to stay ahead of attacks.

But this is easier said than done. When you’re facing a wide range of security and compliance challenges, how do you implement DevSecOps in a sustainable way? Making the shift can seem complicated and confusing, but a few practical steps can get you headed in the right direction. Here are six tips to help you bake security into the DNA of your cloud-based organization.

Code Analysis

Today’s market calls for the flexibility to change software rapidly—sometimes several times per day—in response to customers’ needs. Agile development teams have adapted to this demand. However, old security models, poorly suited to rapid delivery cycles, can quickly derail agile release cycles and throw a wrench in the works for an organization’s evolving software products. An agile approach to security operations helps teams deliver code in small, frequent releases, making it easier to quickly check for vulnerabilities while also embedding code analysis into the quality assurance process.

Automated Testing

Automation is the driving force behind DevSecOps. The objective of automated testing is to simplify as much of the testing effort as possible with a minimum set of scripts. Automated testing tools are capable of executing repeatable tests, reporting outcomes and comparing results with faster feedback to the team. They perform precisely the same operation each time they are executed, thereby eliminating human errors—and can be run repeatedly, at any time of day. Run automated tests at every stage of the development pipeline in order to maximize efficiency and minimize mistakes with code.

Change Management

Make the change management process more efficient by empowering developers with the tools and expertise to respond to—and neutralize—threats before they become a major issue. Allow them to suggest mission-critical security changes at any time, and also set expectations that approved changes must occur within 24 hours.

Compliance Monitoring

With mounting regulations including GDPR, SOC 2 and HIPAA, staying on top of compliance is a must for organizations, which can be challenging when managing the amount of data acquired by digital organizations. When new code is created or changes are made to existing source code, gather evidence of compliance in real time so you are always prepared for reports and audits. This creates a continuous state of compliance that eases any burden caused down the line, if such audits are requested.

Threat Investigation and Vulnerability Management

Discover, investigate and remediate threats or vulnerabilities that have emerged based on the changes you’ve made to the organization with newly delivered code. Even after you’ve released the code and run vulnerability checks, ongoing periodic security scans are key to catch any new bugs or vulnerabilities. Conduct regular scans, code reviews and penetration tests to make sure you are ready for anything—and remember that the vast majority of successful cyber attacks can be attributed to human error.

Security Training for Engineers

Empower engineers with security-specific coding training by sending them to industry conferences or by investing in security certifications. There are lots of training programs and certificates, including popular ones from Stanford and Harvard Extension School, as well as industry conferences such as Defcon that increase the entire team’s knowledge of and investment in security.

Conclusion

Strong IT security organizations today are laying down the building blocks for their DevSecOps strategy from Day 1, but security must provide guardrails, not blockers, to the systems development life cycle and both the continuous integration and continuous development pipelines. This approach is required to maintain speed, agility and innovation while simultaneously meeting regulations and staying alert for malicious cyber threats. Ultimately, the challenge with security—particularly in the cloud—is to deal with imminent cloud-based attacks while at the same time continuously monitoring day-to-day activities, all while assuring users that their information is properly secured. Maintaining this balancing act is easiest, and most scalable, under the mantra of DevSecOps. Do it from Day 1, and you won’t regret it on Day 1,000.

George Gerchow

Avatar photo

George Gerchow

As Sumo Logic's Chief Security Officer, George Gerchow ‪brings over 20 years of information technology and systems management expertise to the application of IT processes and disciplines. His background includes the security, compliance, and cloud computing disciplines.

george-gerchow has 3 posts and counting.See all posts by george-gerchow