RSAC 2018 kicked off today with DevOps Connect: DevSecOps Day @ RSAC 2018. This full day event featured speakers security vendors, security practitioners and development teams. It was interesting to compare the perspectives of the security and development teams when it comes to software security. What was even more interesting was how similar their perspectives are, and to see them presenting on similar topics. In the security industry it is often said that developers don’t care about security. We see evidence that developers do care about security. These sessions proved that security is an issue developers take seriously.
If there was a common thread amongst all the presentations today, it was secure development is an essential part of security and that developers are starting to think of secure code and quality code as linked concepts. This theme, or variations of it, were echoed throughout today’s presentations, demonstrating the shift we are seeing in the market.
During one particular presentation a speaker J. Wolfgang Goerlich, VP for Strategic Security Programs at CBI, discussed how to design and implement a DevSecOps program in 90 days. One point that stuck with me is that security professionals need to be more in touch with what developers are thinking. One way we advocate doing so is by creating developer champions in your security team. Much like security champions on a development team, a developer champion would better understand the goals, objectives and challenges developers face. Goerlich suggested researching future security issues by going to development conferences. There you will hear about the development trends of today that will become the security concerns of the next 3 to 5 years.
Some other tips Goerlich provided for creating a DevSecOps program in 90 days include:
- Don’t change too much too fast.
- Spend the first 30 days learning, the next 30 assessing and the final 30 planning
- When in the learning phase, try to determine what your development team really means when they say “we are doing DevOps”. Many are doing the processes but don’t have the necessary automation.
- When in the assessment phase, be sure to truly assess by figuring out what is needed and what is being done. Don’t be an auditor!
- During the planning phase work with the development team to create a shared set of objectives and measurements to determine success.
- Once you have the plan in place, and buy-in then you can make changes.
- Continue with quick wins. If you have a succession of quick wins in the first 90 days, and then it takes a year to hit the next milestone there will be questions about why you stalled.
Software security is an essential part of security the Modern Software factory that fuels out digital economy. DevSecOps is the way in which we will create more secure code. By integrating software security practices into the DevOps processes already being adopted by development teams, companies will start thinking about security as another element of quality. As a result, we will have a more secure society. Just two years ago I came to RSAC and there was a DevOps days that touched on the importance of security. It was really exciting to see the summit evolve to be DevSecOps and have a stronger focus on security. I look forward to seeing if the rest of the conference is as focused on secure development.