In Conversation With A DevSecOps Practice Manager
DevSecOps is not just a passing fad. It is a specific implementation of DevOps with a focus on security being integrated in the deployment pipeline. It allows organisations to scale secure development practices throughout the organization leveraging on automation and heightened cyber risk-aware culture.
DOI Ambassador, Feisal Ismail sat down (virtually!) with Ding Lit Hwang, a DevSecOps practice manager in a leading news and media conglomerate headquartered in Singapore and encompasses newspapers, magazines, and digital content business
1. Why DevSecOps? What is the issue you are trying to get to grips with in implementing this practice?
Firstly, I joined this organization three years ago and there was already a DevOps practice in place, albeit in it’s formative stages. A DevOps team was supporting developers in doing monitoring and source code control and management, for example. One of the biggest issue then was CD being interpreted as Continuous Deployment.
Automatic deployments to production were causing incidents because of developmental mistakes and moves to production were done during office hours which caused significant loss of goodwill with the business. We immediately put a stop to several practices which include allowing developers to deploy code into production automatically and gating the deployment process with approvals required from key stakeholders via a ticketing system. The incidents showed that there is a significant risk to the business and this practice had to be fixed. Consequently, there was a reduction in production incidents and even when there were incidents, it happened at
Application Security effort was outsourced and rudimentary, limited to mainly penetration testing. Even then, these tests found significant issues and vulnerabilities that took time for development teams to address them. This did not cut it. Much of our source codes where developed in-house and it made sense for application security to also be done in-house. A decision was made to implement and scale security practices like code scanning and secure coding which involved the active participation of developers.
We partnered with a vendor to organize hackathon and bug-bounty driven by the newly minted Cybersecurity organisation. There was a concerted effort to embed and seam in Application Security practices into the software development process. We did not allow Application Security to be viewed as a barrier for deployments but a natural part of it.
2. What is the next step for the nascent DevSecOps practice?
The application security practice will need to evolve. Currently, much of the gating done were “soft-gates” where stakeholders can authorize moving to the next stage by waiving off adherence to security standards. As part of the evolution, we intend to implement “hard gates” where deployment stops if certain pre-determined mandatory security requirements are not met. We think that the business stakeholders and developers are mentally ready for that step.
3. If you had to do it all over again, what would you do differently? What were your biggest challenges?
To be honest, I would have probably engaged a third party to assess, identify and prioritize the gaps and help define an implementation roadmap that is realistic. In hindsight, our DevSecOps implementation approach is rather haphazard and we were constantly derailed or distracted by operational issues. I would have done it as part of a managed programme with a shared understanding of the objectives, roadmap, timelines, investments and business changes that are required for DevSecOps. The outcomes might still be the same but there is a shorter and less painful runway for the transformation.
My biggest challenge then and now is hiring good, qualified and experienced people. There is a high demand for DevOps and security skillset. There are way sexier options out there with eCommerce, financial institutions and technology giants getting first bite of top talent. Additionally, I feel that the current internal equity within my organization does not compare well with that of the companies we are competing for talent with. Of course, we are also exploring upskilling our current workforce but that would mean that we cannot evolve at the pace we desire.
4. Any parting final words of advise for anyone entertaining the idea of implementing DevSecOps?
DevSecOps is not just a buzzword. It delivers real benefits to the business but does require lots of careful consideration and investment. Recognize that every organization is setup differently and it would be good to learn from leading industry framework and practices. Be clear on what is the problem you are trying to solve with DevSecOps and contextualize your practices to suit your organization.
Do not disregard the cultural and mindset shift that is necessary. Your people must be prepared to embrace the change.
Lastly, put some numbers and measurements to track the progress of your DevSecOps implementation. You need to demonstrate to the business the outcomes and impact of these changes. It’s got to be justified.
Learn more about DevSecOps, DevOps and Site Reliability Engineering with these available courses today!