How do you foster the cultural change necessary to implement DevSecOps?
Larry Maccherone (@LMaccherone) of Comcast shared his approach at the Nexus User Conference.
Larry guides teamwork across the company to support DevSecOps adoption with Noopur Davis, Comcast’s CISO. The challenge is to establish and build trust between developers and security professionals -- folks who previously held opposing goals. But, when these teams work together, the collaborative frameworks create better quality software, faster.
Quality software is resistant to penetration and nimble enough to respond quickly to threats.
Analyze, Learn, and Repeat
Larry highlights the “Analyze and Learn” step as especially critical in the cultural transformation. His philosophy is that teams must stop thinking of security measures as gated off responsibilities.
Instead, he says, “We need to, one, take what [security breach] was found and turn into a pattern. Two, we need to find and fix the vulnerability in the codebase and consider how this pattern could be used again. Three, we need to put in place the changes that will prevent this vulnerability in the future.”
Teams collaborate on the solution and establishing preventative steps. Prevention could be in the form of new training or changing the tech stack. The process is tracked in an in-house tool called Greenhouse combined with open source radar visualization.
Using Greenhouse, Larry and his team can identify participants for 90-day plans to strengthen and grow the DevSecOps teams. The idea is to “green up,” or mature, over time. Teams move to darker shades of green along the way to track progress. All team members participate.
“If you’re doing devOps right, you’re always considering security,” says Larry. He outlines his views on DevSecOps as the basis for work at Comcast:
- Build security in, don’t bolt it on
- Rely on empowered engineering teams more than security specialists
- Implement features securely instead of adding more security features
Larry paused to share a quick story to illustrate. A company implemented video recording of every car’s license plate entering their parking lot. The camera, using an OCR reader, quickly identified unexpected guests. An engineer decided to put a MySQL attack in the license plate data, destroying the data. Lesson? Everything connected is a potential attack vector. “Every added feature must consider security. You can’t just think of it as authentication, access, and control.”
- Rely on continuous learning versus end-of-phase gates
- Adopt a few key practices deeply and universally versus poorly & sporadically
- Build on cultural change more than policy enforcement
The latter, says Larry, includes what he calls “The Pledge”. The pledge is used across Comcast. “It states that we trust you, developers, to do the right thing. We understand you will make trade-off decisions between security and other risks. We pledge to give you the information and advice to make informed decisions.” This supports the cultural view that security professionals are no longer gatekeepers but tool-smiths and advisors.
The Trust Algorithm
Larry also discusses the additional approaches to enhance DevSecOps practices. There is the “Security Guild,” an internal community to share ideas and get feedback. There is also an “Artisan Track” where employees can earn belts and badges to demonstrate expertise. The gamification and skill-building enhances mutual trust.
These tools support what Larry refers to as the “Trust Algorithm.” He details the components of trust as credibility, reliability, empathy, and self-interest. You can learn more about them, and Larry’s philosophy, in a five-post series on DevSecOpsDays.
Watch the details from Larry’s conference session, here: