“The AppSec team sends a bunch of security controls to implement in a week. Don’t they understand we have other demands to deliver?” “The development team doesn’t prioritize security!” These phrases are common feedback when there isn’t a mature application security culture. How can we change this reality? Let’s explore some strategies that can help effectively implement a DevSecOps culture.
What is Culture?
A strong culture is essential for developing maturity in AppSec. No matter how good your strategy for implementing application security practices is, it will fail without a strong culture that encourages practicing these strategies. According to Kegan & Lahey (2016), a culture is a set of routines and practices sustained by a unique language and anchored in deep assumptions about the world. In our context, this means breaking down friction points between teams. The application security culture aims to make security natural at all stages of the software development lifecycle (Custódio, 2022).
DevOps and DevSecOps
DevOps, coined by Jez Humble and Patrick Debois in 2011, encourages developers to have a holistic view of projects, eliminating silos and bringing teams closer together. With technological advances, security concerns have increased, leading to the integration of AppSec practices into the DevOps culture, transforming the traditional SDLC into S-SDLC (Secure Software Development Life Cycle), thus creating the concept of DevSecOps.
Security Culture in Development Teams
Focus on People
The first step to consolidating the culture is people. Without investing in everyone’s sense of responsibility in the S-SDLC, failure is inevitable. According to recent Gartner research (2023), development teams focus on functional requirements but lack awareness of secure coding practices. Building an active awareness process is crucial:
- Educate developers about the risks and impacts of introducing vulnerabilities through active training initiatives on secure coding practices.
- Correlate the importance of different tools integrating the S-SDLC with the developer’s daily routine.
- Introduce practices gradually, adapting them to different contexts and stages of the development cycle.
Facilitate Visualization and Understanding of S-SDLC Processes
Tools are crucial in a DevOps pipeline, automating and helping identify security flaws. However, adopting tools without awareness can increase silos and friction. Everyone must understand the importance of each tool and how they helps in their context. Solutions like ASPM (Application Security Posture Management) can be allies in continuously managing application risks.
Implementation Roadmap
To guide the implementation of AppSec practices, we present a roadmap:
- Security Champions Program (SC): Implementing these concepts in the “real world” is not trivial. The first step is to empower developers. One approach is structuring a Security Champions program. The SC becomes responsible for being a link between security and development teams, promoting secure development practices in their teams.
- Contextualized Education: One of the biggest risks to an organization’s security is often not a weakness in an isolated application or feature but the employees’ lack of awareness of the impacts of security incidents. In this context, ISO 27002 indicates that all organization employees should receive appropriate training, education, and awareness, along with regular updates to relevant organizational policies and procedures.
- Customized Training: Training should be contextualized to demonstrate the impact of problems and how they can be remedied. Training for the engineering team should differ from that for the Governance team, as contexts are distinct.
- Monitoring Metrics: Implement a continuous improvement model with metrics such as training sessions delivered, participation, integrated practices, and the number of vulnerabilities prevented.
- Tool Integration: Smart tool orchestration involves evaluating modern security solutions, considering the current team’s maturity. Integrating tools and blocking the development pipeline without proper awareness is not recommended. Including developers in building policies related to security tools can help. This way, developers feel part of the process and understand the need for each solution.
- Start with basic tools like SAST and SCA and use an ASPM to assist in information consumption intelligence. This will reduce friction and bring necessary information into the developer’s environment, ensuring smoother and more efficient integration and promoting the gradual and conscious adoption of security practices.
Conclusion
DevSecOps is a mindset that needs to be internalized and spread by all development team members, not a rigid set of rules and procedures.
