How Comcast Made Quick Work of Adopting DevSecOps

Comcast is not what one would consider a startup, yet it’s been able to move as nimbly as one in an effort to refine one part of its business: software development.

Until about a decade ago, software was pretty much an afterthought to the telecommunications giant. Today, however, software is an increasingly important part of Comcast’s business, and the company has thousands of developers writing and implementing code.

But when a huge organizations suddenly finds itself in the software business, it quickly has to start answering some important questions, such as the one Noopur Davis, Comcast’s chief product and information security officer, shared during a well-attended session at the RSA Conference in San Francisco Tuesday: “How do we show that we’re building security in as we’re working on these products?”

The answer, as many seasoned software development pros will tell you, is DevSecOps, an emerging practice that makes security a fundamental part of application development.

The way Davis sees it, DevSecOps is really about engineering teams taking ownership of how their products perform in production. And Davis hasn’t wasted any time in seeding that kind of ownership.

“Because our software heritage is not as old, we’re more able to adopt modern development methods,” she told the roomful of attendees.

Davis joined Comcast 3 years ago and made DevSecOps an immediate priority, with good reason. She believes that a new manager has about three to six months during which people really listen to her, after which she becomes just another employee. Apparently, Davis was able to build a lot of good will for DevSecOps in those first few months.

“I was lucky that I had a team that believed in it,” she said.

With that initial support, Davis went to work on a framework by taking steps such as obtaining executive sponsorship, defining a security maturity model and building community. With that framework in place, the next step was to establish a set of guiding software development lifecycle principles, which looked like this:

-Build security into products as opposed to bolting it on later;

-Empower engineering teams (rather than security specialists) to own security and get good at it;

-Implement features security rather than focusing on security features;

-Rely on continuous learning instead of an end-of-phase approach; and

-Emphasize culture change over policy enforcement.

Working with those principles, Davis and her team created an engagement model in which development teams perform info-gathering surveys, conduct self-assessments, set and execute plans, and then re-assess things. The team then defined its security maturity model to specify that code analysis would occur whether code was written or imported.

That said, Davis made it clear that all the frameworks and models in the world will amount to squat unless there is organization-wide adoption.

“The ultimate level is when it’s become a part of your culture,” said Davis.

It appears Davis efforts have reached that level.

“We have so much demand now that my team can’t keep up with the requests for help,” she said.

To help with that demand, Comcast also established a security guild for empowering its engineers and further building community, as well as a martial arts-inspired belt system that identifies people based on how much DevSecOps training they’ve had.

While it’s clear that not every organization has the scale to take all of these steps, Davis had some tips for companies looking to adopt DevSecOps. She said a good way to start is to find someone in the organization who’s passionate about the topic, identify a DevOps team that wants to add security to the equation, and define security practices that can be added to the DevOps pipeline.

Over the ensuing few months, she suggested defining a security maturity model, engaging with more teams, and choosing one or two tools. Within six months, she said a DevSecOps effort should have produced some fruit, and she recommended making heroes out of the teams behind those early successes.

“You really want to try something out,” said Davis, “and when it works, you want to do more of that.”

Sage advice from someone who’s brought DevSecOps to life in a huge organization.



*** This is a Security Bloggers Network syndicated blog from RSA Conference Blog authored by Tony Kontzer. Read the original post at: http://www.rsaconference.com/blogs/how-comcast-made-quick-work-of-adopting-devsecops