cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
richarc
Newcomer II

How many of you are involved with controls for DevSecOps practices or for securing DevOps or Agile

I am currently tasked with developing controls or standards for our DevOps practices.  We are involved in writing these controls to ensure internal standards are met even in the fast-paced world of Agile or DevOps development and continued in operations.

 

I realize this is a practice that is unique to the company supported, but wondered how widely this is occurring elsewhere.   I would also be interested in learning what the size of the company is to understand where the majority of efforts like this are occurring.

 

DevOps isn't new, but as a practice is fairly new to our company.  I work for a rather large enterprise, with 2000 development teams in the mix under our main CIO.  I would be interested in what others are doing, and possibly seeing if there is an interest in a discussion group.

 

Thank you,

 

Chris

11 Replies
mgoblue93
Contributor I

Can you explain the post more?

 

DevOps is not a standard thing.  You ask 10 companies for how they do DevOps, you get 11 different answers.  With that said, a reply to this post may or may not address your post -- but the community doesn't know as your question is written.

 

What do you mean by "controls"?  Are you referring to NIST standards, etc.?

 

I'd love to help but without context of what you're asking, I'm not sure how to tailor a response.

 

Thanks,

 

--Chris 

mmerkow
Viewer

I am struggling with the same thing and agree a focused discussions group could be helpful. 

scmunk
Newcomer II

I agree. 

 

Are they security controls (NIST 800-53)? or are they controls on the development process like OpenSAMM? like an agile development lifecycle?

 

Do you have an understood development, deployment, and change management process?

 

Ron Parker CISSP, CCSP

SCMunk

Omie
Reader I

My take is that control objectives don't change as a result of DevOps, but the way the control is executed may...you may trade in your previously manual control for an automated one.  Many organizations are at different points on their DevOps journey or have developed widely varying capabilities, so it is important to understand the specific processes under review and what is different about them as a result of your organization's implementation of DevOps.  For instance, if your organization is implementing automated deployment of server images, your controls and checks can get built into the deployment script (beats an SOP or checklist).  If you have a highly regulated org, there may be processes where you need to put in pauses in the automation to obtain required approvals. 

 

The term DevOps gets thrown around quite a lot these days...there's promise of efficiency gains and all that, but it should not be a reason to bypass controls.

Craftyfellow
Newcomer II


"you may trade in your previously manual control for an automated one" 

Exactly!  Look what the big hitters are doing (e.g. Netflix, Amazon, etc).  Automation is the key to enterprise level DevOps. Both from a development/production perspective and a security perspective. I recommend to start looking at some automation tools like Kubernetes and Jenkins and see if you can insert some security jobs at that level.

richarc
Newcomer II

I agree, DevSecOps or DevOps is as individual as are the companies that follow this path.

 

What I was asking, is how many of us deal with the changes required to support DevSecOps.  What I mean by controls would depend on what standards, or processes you are implementing.  Our security strategy is guided by the NIST Cybersecurity Framework, and the framework does apply to what our company is doing.

 

I just don't hear much about other companies struggling with making security "visible", which is the need from a DevOps perspective, as well as supporting developers in their efforts to create secure code.

 

As a high level example, here are some of the implementation strategies we are using:

 

Security Mavens - training development leads to understand the role of security and how that applies to their discipline.  How does secure code benefit a developer (less unplanned work, less stoppages in the pipeline, etc)

 

Security as code: developers and our App security teams are using OWASP and other guidelines to scan code (static scans, dynamic testing (pen testing), Open source scans and dependency evaluations)

 

Securing the tools that support the CI/CD pipeline - SAML authentication using our corporate directory, segregation of duties, least privilege for jobs, and automation

 

Automation of cloud processes: app scans, build scans, removal of access to console and locking down access to any cloud environment

 

This is a small sampling of the activities we have in place or in development however, we struggle to get security integrated into the pipeline to close the feedback loop.  Areas we are attempting to improve our communication is automating JIRA tickets for IP vulns, cloud scans, and logging alerts.

 

Does that help?

 

What are you doing, what level of effort is underway?  Is this an isolated process or is it hitting your entire company?  One line of business? All lines of business? Is it a coordinated effort?

 

Let me know if that helps.

 

Thank you,

 

Chris

richarc
Newcomer II

Already there - what are you doing?
richarc
Newcomer II

Don't get hung up on "controls" - what is your experience?

Yes, we apply NIST - yes, we understand change management - If you look at my response to the first poster, you may have a better idea what I was trying to do.

I don't want advice so much as to find out what others experience is or has been.
richarc
Newcomer II

I have been in touch with someone who is trying to get a DevSecOps community initiative set up.

 

I will let you know what happens.