At the end of October, as part of Cybersecurity Awareness Month, experts from Adaptavist and GitLab joined business leaders to discuss challenges, concerns, and smart solutions to transform your organisation's operational security.
Missed the roundtable or want a recap? Here we cover all the key points to get you up to speed.
The big questions
Organisations are facing more security threats than ever before, and data breaches, scams, and ID theft are on the up. For some, they've had to cough up millions and faced reputational damage that it's hard to even put a price on. So what's the solution?
This roundtable, led by Adaptavist's Chief Technology Officer, Jon Mort, and GitLab's Senior Technical Marketing Manager, Fernando Diaz, focused on DevSecOps. Shifting security left and embedding it right at the heart of the software development delivery pipeline is the best way to resolve security issues before they make it into production.
Sure, we need to have well-defined vulnerability and security incident management processes in place. That's a given. But it’s clear that solving the problem after the fact isn't going to cut it. We need to prevent it from happening at source, in the first place.
As with any digital transformation initiatives, implementing DevSecOps or adding security to your DevOps processes means taking a new approach to people, processes, and technology – all of which was discussed by the experts and a group of senior leaders tackling DevSecOps initiatives. From the current state of operational security and DevSecOps best practices to successful team structures and ensuring separation of duties.
Roundtable Recording: Transforming Operational Security - Shifting Left with DevSecOps.
Watch the Adaptavist and GitLab experts discuss the challenges, concerns, and smart solutions to transform your organisation's operational security.
The state of DevSecOps
The discussion was prefaced by a quick look at the current state of DevSecOps thanks to GitLab's 2022 Global DevSecOps Survey, which included insights from over 5,000 DevOps professionals. It showed that, despite a challenging business environment, the momentum for automation, release cadences, and cutting-edge technology remains strong.
Here are a few of the key survey takeaways raised during the roundtable:
- Security continues to be a key focus for organisations. Similarly to the previous year's survey, 71% of DevOps professionals rated their organisation's security efforts as either 'good’ or ‘excellent'.
- 57% of security team members said their organisation had shifted security left or is planning to do so this year.
- Concern about security threats has never been higher. 43% of security professionals feel ‘somewhat’ or ‘very’ unprepared for the future.
- While 43% of security team members admitted to still having full ownership of security, a resounding majority (53%) said everyone was responsible for it, a 25% increase from 2021.
Next, we got onto some fantastic in-depth discussions focused on three key areas.
What does a good DevSecOps culture look like?
"Culture change is from what you do, not what you say." – Jon Mort, Chief Technology Officer, Adaptavist
Establishing a DevSecOps mindset is vital, thinking about security right from the beginning when developing applications. That means shifting left, starting from considering security at the design stage, assessing threats and risks before a new project even starts, and embedding security practices in the software delivery pipeline. Creating a DevSecOps-centric culture should include in-depth analysis to understand the threats and clear policies. Hence, staff across the organisation are security-aware and know how to handle data.
“At GitLab, we include security awareness as part of our day-to-day. We ensure employees are trained on security, even if they're not in a security role. For example, we have policies in place for employees to follow best practices when opening unknown emails, sharing data, etc., with training around these areas.” – Fernando Diaz, Senior Technical Marketing Manager, GitLab
There should also be good change-control practices, such as code review and segregation of duties. And minimal permissions. Practices tailored for and taking into account an organisation's context and scale are needed to ensure that the culture of security is fostered from intention to actionable change.
Additionally, checks and balances should be implemented into a platform to prevent mistakes, such as merging insecure code. Also, there should be regular collaboration between developers and the security team. This not only educates developers to be more security conscious but reduces the time to push secure code.
What are the main security-related issues DevSecOps implementation can resolve?
"Going fast puts everyone else at risk. But with everyone really understanding that not adhering to compliance puts the company at risk, it leads to more collaboration with the compliance officers. There's a mutual understanding of why compliance is important." – Fernando Diaz, Senior Technical Marketing Manager, GitLab
An important part of the DevSecOps journey as a company is understanding where you are now and what issues you are facing. Adaptavist's maturity assessment is a great way to establish a baseline and highlight where improvements can be made. For example, do you have problems scanning code for vulnerabilities? It can be a big issue for many organisations. There are solutions out there. For example, GitLab provides a large set of security scanners, but many people don't know how to get started with them or what they actually do.
You need to be able to triage and manage those vulnerabilities, too, as well as adhering to strict compliance policies; GitLab has vulnerability management – to triage and manage the vulnerabilities found within your project – and compliance management built in. A compliance dashboard, for example, helps you to see where your organisation is strong and where there are areas for improvement.
"With very strict compliance policies, there are lots of things you need to check and maintain. It's very complex. There are so many different types of code scanners. How do you know you're using the right ones? And how can you manage these vulnerabilities? These things aren't obvious at first, but can be planned out with a deeper understanding of your compliance needs" – Fernando Diaz, Senior Technical Marketing Manager, GitLab
What are the best practices companies should be implementing?
To bring your DevSecOps implementation up from scratch, you want scanners to be running each time a code commit is pushed to a feature branch. This way, you'll always know what vulnerabilities are present and can address them before that code is pushed to production. And any vulnerabilities seen in production should be triaged as soon as they arise, along with additional alerts. Automation is key here.
"Automation can really make sure there are tickets to track the work that needs to be done, mitigating vulnerability and making it a part of the regular development life cycle is massively important and a fairly simple thing to do." – Jon Mort, Chief Technology Officer, Adaptavist
Automation is also your friend when it comes to scanning for malicious activity or if there's been an unwarranted escalation of privileges. Continuous compliance combined with the Automation necessary to detect, fix and raise issues can ensure that being compliant isn't an ad-hoc or periodic task left to a few specific roles
When it comes to all these processes, it's important to consider how you will scale your successful security practices as the organisation grows without losing its effectiveness.
"For every 20 developers, you might have one security team member or less. That's why it’s important to think at scale with everyone thinking about security, with accessible tools, rather than only specialists being able to use those tools." – Fernando Diaz, Senior Technical Marketing Manager, GitLab
A DevSecOps partnership
As a Select GitLab partner, Adaptavist's mission is to deliver end-to-end DevOps services and solutions to help you build and implement continuous integration (CI) and continuous delivery (CD) systems, including successful DevSecOps implementations.
We use the latest industry-proven techniques that allow you to maximise the benefits of your IT investment. Our services range from maturity assessments, implementation, and strategic guidance to data migration and integration, coaching and training, and DevOps as a Service.