Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

DevSecOps: Security at the Speed of DevOps

June 18, 2019 By Katie McCaskey

How do you foster the cultural change necessary to implement DevSecOps?

Larry Maccherone (@LMaccherone) of Comcast shared his approach at the Nexus User Conference.

Larry guides teamwork across the company to support DevSecOps adoption with Noopur Davis, Comcast’s CISO. The challenge is to establish and build trust between developers and security professionals -- folks who previously held opposing goals. But, when these teams work together, the collaborative frameworks create better quality software, faster.

Quality software is resistant to penetration and nimble enough to respond quickly to threats.

Analyze, Learn, and Repeat

Larry highlights the “Analyze and Learn” step as especially critical in the cultural transformation. His philosophy is that teams must stop thinking of security measures as gated off responsibilities.

null

Instead, he says, “We need to, one, take what [security breach] was found and turn into a pattern. Two, we need to find and fix the vulnerability in the codebase and consider how this pattern could be used again. Three, we need to put in place the changes that will prevent this vulnerability in the future.”

Teams collaborate on the solution and establishing preventative steps. Prevention could be in the form of new training or changing the tech stack. The process is tracked in an in-house tool called Greenhouse combined with open source radar visualization.

Using Greenhouse, Larry and his team can identify participants for 90-day plans to strengthen and grow the DevSecOps teams. The idea is to “green up,” or mature, over time. Teams move to darker shades of green along the way to track progress. All team members participate.

DevSecOp Manifesto

“If you’re doing devOps right, you’re always considering security,” says Larry. He outlines his views on DevSecOps as the basis for work at Comcast:

  • Build security in, don’t bolt it on
  • Rely on empowered engineering teams more than security specialists
  • Implement features securely instead of adding more security features

Larry paused to share a quick story to illustrate. A company implemented video recording of every car’s license plate entering their parking lot. The camera, using an OCR reader, quickly identified unexpected guests. An engineer decided to put a MySQL attack in the license plate data, destroying the data. Lesson? Everything connected is a potential attack vector. “Every added feature must consider security. You can’t just think of it as authentication, access, and control.”

  • Rely on continuous learning versus end-of-phase gates
  • Adopt a few key practices deeply and universally versus poorly & sporadically
  • Build on cultural change more than policy enforcement

The latter, says Larry, includes what he calls “The Pledge”. The pledge is used across Comcast. “It states that we trust you, developers, to do the right thing. We understand you will make trade-off decisions between security and other risks. We pledge to give you the information and advice to make informed decisions.” This supports the cultural view that security professionals are no longer gatekeepers but tool-smiths and advisors.

The Trust Algorithm

Larry also discusses the additional approaches to enhance DevSecOps practices. There is the “Security Guild,” an internal community to share ideas and get feedback. There is also an “Artisan Track” where employees can earn belts and badges to demonstrate expertise. The gamification and skill-building enhances mutual trust.

These tools support what Larry refers to as the “Trust Algorithm.” He details the components of trust as credibility, reliability, empathy, and self-interest. You can learn more about them, and Larry’s philosophy, in a five-post series on DevSecOpsDays.

Watch the details from Larry’s conference session, here:

 

Tags: devsecops, Post security/devsecops

Written by Katie McCaskey

Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.