Virtualization Technology News and Information
4 Tips for DevSecOps Education and Training

By Joseph Feiman, WhiteHat Security Chief Strategy Officer

Whether it was the 250 million Fortnite players who were left vulnerable to hack, or the Quest Diagnostics breach that exposed 11.9 million patients' medical and financial data, 2019 has seen some of the worst data breaches to date. To combat these types of attacks and vulnerabilities, organizations must be more cognizant of their security, and embrace a DevSecOps approach. And to do so, it is imperative that they provide the proper education and training for every facet of the organization.

But it is important to note when educating organizations about security that some practices and technologies should be encouraged, while others should be avoided. Whether that means exploring best practices around security training, metrics, skills and champions in the industry, it's important to understand how each audience fits into the DevSecOps scope. In this blog post, I'll help break down four tips for security training to achieve DevSecOps.

Security As A Shared Responsibility

First and foremost, DevOps teams need to learn that security is a responsibility that they must share with the security team. Without it, DevSecOps is impossible, and without DevSecOps, DevOps will not be secure. DevOps and security need to be taught how to discuss security issues together, so they can see all of the implications they entail - security, quality, legal, reputational - all combined.

Organizations will increasingly see their revenues, profits and brand loyalty impacted by their ability to create highly secure applications. And as more application-layer breaches are reported on by the media, security will need to be seen as a fundamental aspect alongside quality, stability, performance, functionality and ease-of-use.

Avoid Making DevOps Specialists Security Experts

Application security technologies should be transparent to DevOps specialists, as security transparency is a critical condition for security adoption by the DevOps team. But security technologies should not distract DevOps specialists from development and operation. Instead, DevOps specialists should be security aware, and they should be applying best security development and deployment practices.

Yet, they should not become experts in security technologies. Security technologies should be enabled for a transparent invocation and operation by DevOps specialists directly from IDEs and build servers. Technologies should test applications and get results rapidly and directly to those who invoked them. DevOps should use security results, but relieved from learning and running sophisticated security detection and protection technologies.

Security Awareness

Development and operations specialists should understand application vulnerabilities, their different categories and what the best practices to avoid making applications vulnerable are. Without this training, developers and operations specialists likely won't be able to fully grasp how important security is, and the effects it can have on the overall business.

Hackers exploit vulnerabilities that were (typically inadvertently) created by DevOps. For example, lack of input sanitization might lead to exploits, such as SQL injection or command injection. To combat this, DevOps specialists should be made security-aware, trained in secure programming practices, secure application configurations, and use of secure libraries and frameworks.

Educate, Don't Shame

When security technologies such as SAST, DAST, IAST, and SCA present detected vulnerabilities before DevOps specialists, it should be a learning experience for them. Unfortunately, the process can be embarrassing. Test results come back to their managers, and after their first review, reach developers. These developers then inevitably make mistakes, which cause vulnerabilities, and those vulnerabilities get revealed to the managers and peers.

To avoid "shame and blame," developers need to find ways to minimize or ignore implementation of application security technologies. Thankfully, modern technologies offer ways to deal with these problems. Modern SAST, for example, enables developers to invoke tests out of an IDE, and return test results to the same IDE. The developer is the only one that sees the results of the test, and he/she can review and remediate vulnerabilities, and then submit another test, remediate, and so on, until all vulnerabilities get fixed. Shame and embarrassment gets replaced by education, and security is the reward.

By following all of these steps, and providing adequate training and education for your teams, DevSecOps implementation will finally become a reality for your organization. Stay tuned for the next three-parts in this series, which will explore best practices around security metrics, skills and champions in the industry.


About the Author

Joseph Feiman 

Joseph Feiman is the chief strategy officer at WhiteHat Security. Feiman is responsible for WhiteHat’s overarching business strategy and vision, to further its success in empowering secure development and operations. Previously, Feiman worked for 18 years at Gartner, where he was  a Gartner research vice president and fellow. During his tenure at Gartner, Feiman served as a trusted resource for security executives and professionals across the globe, co-founding the application security market category. Prior to joining WhiteHat Security, Feiman was chief innovation officer at Veracode for three years, helping to bring the company to its culmination.

Published Tuesday, November 05, 2019 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2019>