My Journey to DevSecOps
Please allow me to introduce myself. I am a woman IT leader with experience leading teams of up to 50 people in Build and Release Engineering and Cloud Transformations in the private and public sectors across different platforms (AWS, Google, and Azure). In addition, I serve on the board for the California State University Women in Leadership credential program. I started my career in Artificial Intelligence (AI) in an insurance company. I have worked most of my career in Financial Services for companies such as AXA Rosenberg, Western Union, Merrill Lynch (now Bank of America), Moody’s Analytics, Fair Isaac and Company (FICO), and First Republic Bank. I began working in DevOps in 2008 and became a DevSecOps specialist in 2018. I joined the VivSoft Team in 2021 as the Sr. Director for DevSecOps to develop the next generation platform for solving complex Federal use cases.
At VivSoft Technologies, we champion the practice of DevSecOps in transformational projects for the US Government. There are repeating build and deployment automation patterns with stringent security requirements. But before I dig into the solutions, I'd like to discuss the term "DevSecOps."
While Development Operations (DevOps) was born in 2008 to improve communication between system administrators and developers, Development Security Operations (DevSecOps) was born in 2018 to bridge the gap between development and security engineering. This was the advent of the "shift left" movement, in which security engineers had to get their hands dirty and code alongside DevOps engineers and developers. This was a critical development since it allowed security to be baked in earlier in the software development process, saving companies from fixing issues post release, which is more expensive and riskier. The impetus for this was due to the significant data breaches coming from major enterprises like Capital One, Experian, Anthem, and other companies.
Like DevOps, DevSecOps is based on the need to break down silos and knock down walls (like the Berlin one!). This enables security engineering to team up with the developers to safeguard companies at the code level for example; early detection can keep security keys out of GitHub. Software Bill of Material (SBOM) and Zero Trust mandates are further accelerating the adoption of DevSecOps to address compliance requirements. The paradigm shift (pun intended!) put the onus on Security to embrace the art of software development! It is also a behavioral shift democratizing software more than ever before. Here’s a table comparing how Security used to interact with developers to how we now interact in DevSecOps:
I need a port open in the firewall
Tell me more, how can I help?!
Can I use open-source software?
Let us look at how actively it is maintained and any open vulnerabilities it may have.
We need NIST controls tomorrow!
Stop other work and document the controls!
How can I help automate and document the NIST control requirements for you?
I would like to on-board a new application
Here is the onboarding ticket template you can use
Here is a template K8s cluster with baked in Zero Trust security services.
What is my application's security score?
We will contract with a vendor to test it and give you a report
SAST and DAST tools are included in your K8s cluster template and build system to scan real time.
Why do I get these false positives in my CheckMarx report?
You just have to log an exception for each scan
Let me show you how to remediate the code or save an exception across builds.
Didn't the vulnerability get posted on YouTube 6 months ago?
You have 4 hours to fix it now that we detected it to meet your SLA
Our SOAR system remediated while we were asleep minutes after the posting 6 months ago.
Why wasn't the development team notified of this issue?
We don't trust them, or they don't know better
We can all learn from each other and solve problems faster that way.
Now I have to write my service discovery module!
We need feature completeness before we test
Compliance runs checks, including all security controls on our daily builds.
So, how did it impact Site Reliability Engineers (SREs)? SRE’s focus on reliability using DevSecOps to ensure “ilities” such as security, maintainability, and quality. SRE’s are adapting to work with those crafting secure software to keep the ecosystem running after it is delivered. See your friendly SRE for a chaos test mimicking a denial service attack on your K8s cluster which is sharing the same virtual network with your services (don’t try that at home)!
To bridge some of the challenges I have outlined above, VivSoft’s ENBUILD accelerator further enables secure K8s stack deployment using distros from Azure, AWS, GCP, Rancher (including Federal), or OpenShift. You can select and deploy DevSecOps components of your choice in an interface built with Human-Centered Design and persona-based configurations. This includes integration with GitLab/GitHub for your source repositories and orchestration. You get a choice of Istio, Jaeger, or Kiali for operating and visualizing your microservices. For security management you can choose from Cluster Auditor, Cluster Gateway, Kyverno, TwistLock, or AuthService for your Security Policy Manager. Logging and monitoring integrations include ECKOperator, FluentBit, EFK, Loki, and Prometheus. These components can be further customized based on configuration changes to accommodate the emerging needs of your enterprise end-users.
I would love to hear from you to talk about our approach to enabling enterprise modernization using DevSecOps. Our out-of-the-box support for SBOM and Zero Trust architectures is a true differentiator and value add for customers operating in regulated environments.