Five Tips for Changing the Engineering Security Mindset

The IT industry has been growing at an exponential rate for some time. With that growth comes the rapid acceleration of the development life cycle, often times leaving security to play catch up. DevSecOps, also known as ShiftLeft, provides increased security by addressing risk earlier in the cycle and carries those practices through to release.

DevSecOps can be hard to do well. You need developers to shift from a function-first to a security-first mindset. To make that change easier, we’ve complied five ways help your team migrate to a DevSecOp model.

1. Hackers are reverse engineers. If you can figure out how to reverse-engineer your code, so can a potential threat. Use Test Driven Development to drive security requirements down into the developer’s hands. Establish Gherkin Tests that turn policy into testable user stories.

2. Humans manage their personal hygiene everyday; engineers should do the same with their security hygiene.  DevSecOps is an agile process that involves security benchmarking in small, manageable batches. Whether everyday or every week, developers should ensure their code is compliant with security measures. Long gone are the days of waiting until deployment to address and resolve potential threats. Establish the role of the Security Champion to make security a priority.

3. But… what about our existing product? DevSecOps does not mean abandoning existing post-deployment security measures like penetration testing and vulnerability scans. It should be seen as an enhancement to the current system. When you clean as you cook, it means less mess in the end. When you conduct code analysis as you develop, you find less vulnerabilities post-release. Using automated scanning throughout the build pipeline informs the development team of risks before going to the next environment and reduces the likelihood of a risk making it to production.

4. Don’t rely on others to do security for you. Open source software, repositories, and tools are great resources that speed up development and get software to the end user faster. However, don’t assume every public tool is security-compliant. Make sure to review and check any tools you use, otherwise you could be leaving holes and vulnerabilities in your system. Highly adopted tools typically have a pay-for-use version managed by a strong vendor (e.g. RedHat). Depending on your environment, consider using a vendor-managed solution.

5. Automate and Collaborate. One of the main complaints with DevSecOps is that the time it takes to conduct security code reviews is not on par with the DevOps timeline. By automating threat monitoring and vulnerability testing, your team has more time to continuously revise and release more code, ultimately speeding up the whole process. Finally, you will need to collaborate across engineering teams and managers.

The first step to DevSecOps is a clear consensus on the importance of DevSecOps. No matter how you spin it, planned work is better than unplanned work. Enterprise environments can decrease application workloads by increasing security control inheritance.