I am currently tasked with developing controls or standards for our DevOps practices. We are involved in writing these controls to ensure internal standards are met even in the fast-paced world of Agile or DevOps development and continued in operations.
I realize this is a practice that is unique to the company supported, but wondered how widely this is occurring elsewhere. I would also be interested in learning what the size of the company is to understand where the majority of efforts like this are occurring.
DevOps isn't new, but as a practice is fairly new to our company. I work for a rather large enterprise, with 2000 development teams in the mix under our main CIO. I would be interested in what others are doing, and possibly seeing if there is an interest in a discussion group.
Can you explain the post more?
DevOps is not a standard thing. You ask 10 companies for how they do DevOps, you get 11 different answers. With that said, a reply to this post may or may not address your post -- but the community doesn't know as your question is written.
What do you mean by "controls"? Are you referring to NIST standards, etc.?
I'd love to help but without context of what you're asking, I'm not sure how to tailor a response.
Are they security controls (NIST 800-53)? or are they controls on the development process like OpenSAMM? like an agile development lifecycle?
Do you have an understood development, deployment, and change management process?
Ron Parker CISSP, CCSP
My take is that control objectives don't change as a result of DevOps, but the way the control is executed may...you may trade in your previously manual control for an automated one. Many organizations are at different points on their DevOps journey or have developed widely varying capabilities, so it is important to understand the specific processes under review and what is different about them as a result of your organization's implementation of DevOps. For instance, if your organization is implementing automated deployment of server images, your controls and checks can get built into the deployment script (beats an SOP or checklist). If you have a highly regulated org, there may be processes where you need to put in pauses in the automation to obtain required approvals.
The term DevOps gets thrown around quite a lot these days...there's promise of efficiency gains and all that, but it should not be a reason to bypass controls.
"you may trade in your previously manual control for an automated one"
Exactly! Look what the big hitters are doing (e.g. Netflix, Amazon, etc). Automation is the key to enterprise level DevOps. Both from a development/production perspective and a security perspective. I recommend to start looking at some automation tools like Kubernetes and Jenkins and see if you can insert some security jobs at that level.
I agree, DevSecOps or DevOps is as individual as are the companies that follow this path.
What I was asking, is how many of us deal with the changes required to support DevSecOps. What I mean by controls would depend on what standards, or processes you are implementing. Our security strategy is guided by the NIST Cybersecurity Framework, and the framework does apply to what our company is doing.
I just don't hear much about other companies struggling with making security "visible", which is the need from a DevOps perspective, as well as supporting developers in their efforts to create secure code.
As a high level example, here are some of the implementation strategies we are using:
Security Mavens - training development leads to understand the role of security and how that applies to their discipline. How does secure code benefit a developer (less unplanned work, less stoppages in the pipeline, etc)
Security as code: developers and our App security teams are using OWASP and other guidelines to scan code (static scans, dynamic testing (pen testing), Open source scans and dependency evaluations)
Securing the tools that support the CI/CD pipeline - SAML authentication using our corporate directory, segregation of duties, least privilege for jobs, and automation
Automation of cloud processes: app scans, build scans, removal of access to console and locking down access to any cloud environment
This is a small sampling of the activities we have in place or in development however, we struggle to get security integrated into the pipeline to close the feedback loop. Areas we are attempting to improve our communication is automating JIRA tickets for IP vulns, cloud scans, and logging alerts.
Does that help?
What are you doing, what level of effort is underway? Is this an isolated process or is it hitting your entire company? One line of business? All lines of business? Is it a coordinated effort?
Let me know if that helps.