Security Series (III): 'DevSecOps' - the expert interview

Posted on 20/04/2017 by Jay Banghar


As part of our Security series, we discussed the future of Cloud Security and the issues faced by the Government in Securing Singapore and achieving the Smart Nation goal. We now turn our attention to DevSecOps, a rapidly developing movement which proposes that only in an environment where “everyone is responsible for security” can the benefits of Continuous Integration and Cloud Deployment be realised.

To help us understand DevSecOps, our specialist security talent recruiter Adam Fletcher interviewed a leading practitioner, Francois Raynaud, founder of DevSecCon and industry thought leader. The interview is summarised below.

DevSecOps is still an emerging movement. What are the three main benefits to a business?

  1. The fundamental benefit of DevSecOps is the building and automation of Security as code – to make software safer sooner.
  2. This in turn has a direct impact on cost; the development process is enhanced and the cost of fixing vulnerabilities/issues is mitigated.
  3. Embracing DevSecOps can lead to a hugely beneficial Cultural change. Rather than Security policy being a hammer used to reprimand, tools and processes can be developed that fit a business’ specific needs, as opposed to trying to fit ‘one size fits all’ products  

So, who is responsible for implementing effective DevSecOps in an organisation and what role do those in charge of GRC play?

Everyone is responsible for DevSecOps, but to achieve this we must change from an exclusive to inclusive culture. Unfortunately, a lot of the check lists for compliance that Governance, Risk & Compliance (GRC) leaders use are no longer fit for purpose. Performing an in-depth assessment of how code is distributed and managed is key to ensuring that Security can be integrated at every step. To achieve this we need to educate from the board level down and GRC leaders need to put away the pen and excel spreadsheet. They need to learn about SCRUM and DevOps and work together to create a super team that doesn’t just fix the same old Security problems but disrupts the process to prevent repetition.

In our previous blog, we discussed the future of Cloud Access Security Brokers (CASB), which has been identified by Gartner as the number 1 technology for Info Security. How does Effective DevSecOps impact the performance of CASB?

CASB is a useful tool to ensure applications can be deployed safely in the cloud. It can help reduce the need for swathes of administrators, but is really only in existence due to the negligence of cloud management. Effective DevSecOps could remove the need for CASB as through this process you can perform a full inventory of assets in the cloud and create an inclusive culture. Although until a proper security hygiene is achieved, I would not recommend throwing them away just yet. 

Why is DevSecOps important when we have sophisticated Threat Intelligence tools that centralise visibility through machine learning? 

Threat Intelligence tools are important and can be hugely beneficial, so long as they are not as ‘just another pane of glass’. A business must ask itself, what am I trying to achieve? What am I trying to protect? Without this fundamental understanding, even the most sophisticated tool achieves nothing more than being a non-contextualised papyrus scroll, where each problem is fixed as they arise and Security Vendors continue to sell new add-ons, features that aren’t necessary and ‘essential’ upgrades, on the promise of being the ‘Silver Bullet’ for the customer’s Security concerns. 

In Singapore, a primary focus of the government are Security concerns relating to Smart Nation. How can DevSecOps help Singapore achieve its vision? 

I think it’s amazing that the Singapore Government is seeing the advantages that being a Smart Nation can bring, but it’s not just about energy efficiency and traffic controls. GovTech sponsored the recent DevSecCon event as they can see that through DevSecOps adoption, they can implement the right security at the right moment. The Government doesn’t like waste and see no point in mass layers of authentication. It’s also pleasing that they recognise the need for help, being open to hiring talent, even from overseas, and actively upskilling their existing staff can help them to achieve their goals. 

There is a definite skills shortage in this area and Security awareness is a central principal of Effective DevSecOps. What advice would you give to those seeking to learn more about DevSecOps and help to promote an inclusive environment?​

The next DevSecCon conference, which we have just announced in Boston, in addition to our London event and return to Singapore next year, is a great place to learn more. In addition, we are currently building a certification linked to three DevSecOps training programmes, which will go live in Q2 2017. Another very interesting event is the OWASP Global Summit in June, which will have a strong focus on using DevSecOps in working sessions to solve the community’s security problems. DevSecOps is a vendor neutral movement and relies on the community getting involved, so participation in the DevSecOps foundation is very important.

At SearchElect we are always interested in opening a discussion with those seeking to be the next disruptors in Security and, like Francois, believe that we are experiencing a fundamental change in how Security is achieved within business and government. 

I would love to learn your thoughts on how DevSecOps will shape the future of Security, and how I can add value to your recruitment process or help you achieve your career aspirations.  

Please get in touch to discuss further!

+65 6589 8787