Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be 30 minutes or less, and is an interview-style series highlighting some of the top Security Testing experts in the field.
This episode of the TestGuild features Hasan Yasar. Hasan Yasar is the Technical Director of Continuous Deployment of Capability Group at the Software Engineering Institute, CMU. He leads an engineering group to enable, accelerate and assure transformation at the speed of relevance by leveraging DevSecOps, Agile, Lean AI/ML and other emerging technologies to create a Smart Software Platform/Pipeline. In this episode, Yasan shares his thoughts on DevSecOps. He discusses the common misconceptions and roadblocks that exist, and how to use DevSecOps to help your organization reach new heights of efficiency and productivity without getting frustrated.
What do we mean by DevOps and DevSecOps?
“DevOps is a set of principles and practices, emphasizing collaboration and communication between software development teams and IT operations staff along with acquirers, suppliers, and other stakeholders in the lifecycle of software systems (…) However the industry or whoever is practicing DevOps, often ignore the security elements. (…). It's not an intentional thing, it’s more about security testing usually being done after the integration phase or before deployments. (…) So, the DevSecOps movement emphasizes running security throughout the lifecycle (…) As a community, we decided to use the DevSecOps concept to emphasize security throughout the lifecycle because it's not done enough. You just say ‘DevOps’, but you need to think about security as an important element as well, so we are calling it ‘DevSecOps.’ In another session, I actually said that DevSecOps is doing the right version of DevOps.”
The 3 pillars of DevSecOps:
“Culture is one dimension; I call it the first pillar. We create the right culture and the right environment which enable people to share, to trust each other, to collaborate on the topics or the problems, especially within the security domain. For example, if I'm able to share information with my dev team, my architect team, they will have good information about my system, and they can do a better job when they write the code.”
“Automation. How can we automate all our security testing's? How can we automate our threat modelling? How we can insert our threat modelling into our continuous integration/continuous deployment process or how can we create an infrastructure check based on our compliances? How can we check our configuration of the server? So, automation is essential to establish security throughout the lifecycle.”
“Process and practices. As a team, we know how we are going to work together, and we know what our game plan is. It's important to have the right processes and practices to help each other establish Automation within the DevSecOps environment.”
How to create the right culture
“There isn't a single solution or recipe to fix the culture. It is tough. I mean, there are many ways to establish common collaboration starting with understanding what we are doing in the business. What are our business goals? What are our objective and vision? (…) Why we are here? What is our purpose? So basically, let [your team] connect with the vision and goals, so people, who are all stakeholders, are feeling responsible for the same vision so they can succeed.”
“After building a better environment for the journey, (…) eliminate any type of blaming culture (…) We're not going to blame each other, and we will look at it from a solution perspective. We will help each other and learn from our lessons (…) and do better next time. That's how you start. From management’s support and at the team level.”
“Another thing I would like to add is open up good communication and good collaboration. (…) Good communication with team members through tools, like using chat or using a shared platform. If I share my information with my dev team member then that other person will also share. (…) So, sharing actually builds up trust within team. (…) We are increasing our communication collaboration between team members so we can improve the culture by learning, by sharing responsibilities, by sharing our learning, and also by sharing how the problem was solved.”
Who is responsible for DevSecOps?
“It's not a specific team’s responsibility. It should be everybody's responsibility. Everybody should think about their jobs and their role. How can I help my team? How can we break down silos? How can I do my job in a way that helps others? It’s a change of mindset. (..) Saying: ‘what can I do to help you?’ This includes the scrum master, the dev, the architect and everybody. Then once we’ve asked that question to ourselves, we will say, ‘OK, this team needs this information, let me share that. Let me give them what they need’ So we’re not the bottleneck. We want to be the enabler; We want to work for them. They're not working for us.”
“One piece of advice I would give is pick up the phone, talk with your peers, understand what they do. Put yourself in their situation.”
Important KPI’s in a DevSecOps environment
“Monitor all of the data. Once our DevSecOps is up and running, (…) We have to really measure our deployment frequencies, the change lead time, the volume, number of work items like tickets and TTR, the mean time to detection and the TDR mean time to recovery. (…) Then we have to look at the time to approval, the time to patch vulnerabilities and we have to look at the servers. Measure our software delivery progress and how well we are doing: What is the quality of the application that we are delivering? (…) Then we look at service logs, disk space, memory usage with applications related to performance. We have to measure it, but we have to align that thesis with our software delivery process and how much we are able to quickly find any defect in our code base and push out the new version.”
Hear Hasan Yasar’s full interview, Challenges Implementing & Sustaining DevSecOps.
About Micro Focus Fortify
Fortify has recently been named a Leader seven times in the Gartner Magic Quadrant for Application Security Testing as well as named #1 in two use cases, Enterprise and Mobile & Client in the 2020 Gartner Critical Capabilities for Application Security Testing.
Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program.