Six examples of DevSecOps at work

DevSecOps is fast becoming the trend among industry thought leaders – and it‘s not difficult to understand why. Traditional DevOps leaves security to the last minute, which can lead to security flaws being either missed, or caught late in the dev cycle, resulting in last-minute fixes and expensive delays. By integrating Security more closely into the DevOps cycle, businesses can mitigate these risks, ensuring security is built into the design of their applications.

But while theoretical explanations are great, they don’t necessarily prove that DevSecOps works in real life. So, here are six examples of businesses that are already making DevSecOps part of their application development cycles.

Allianz

Multinational insurer Allianz faced some relatively common security and DevOps challenges. For one, security was only introduced at the end of development and wasn’t treated as a priority in the business – causing an uphill struggle for security teams. In an organisation of Allianz’s scale, changing attitudes to focus on security amounted to a huge challenge.

Fortunately, Allianz understood that this was a cultural issue, not just a technical one. The business began to modify its internal security ethos by engaging with all stakeholders: it trained security pros with business skills, while at the same time empowering developers with security skills and automated tools to spot flaws in the code themselves. This helped to build trust between the two departments, fostering a collaborative business and development culture that encouraged strong security practices.

PayPal

Working in payments puts PayPal in a particularly vulnerable spot for cybercrime – after all, financial gain is the biggest motivation for cybercrime. The company aimed to reduce the chance of introducing security flaws into its products, and so was looking for a way to build repeatable and proactive security practices into the product development lifecycle.

The company began to shift its corporate mindset to view security as an equal priority within any new projects, in order to incentivise security. To manage this cultural change, PayPal assigned ‘Change Champions’ and ‘Transformation Team Members’ with a responsibility to guide different teams across the organisation through this transition.

To ease the journey, PayPal introduced automated security tools for the development team, and began phrasing security guidelines in development language, rather than security language.

By focusing on cultural change, while making this change as simple as possible for development teams, PayPal was able to transition to DevSecOps in less than a year. This has enabled the company to rapidly build new products from a secure foundation.

Fannie Mae

Mortgage provider Fannie Mae faced the classic problem of late-stage security checks leading to delays and missed security bugs. There was also limited integration of feedback from customers.

Seeing an opportunity to accelerate development processes with DevOps and integrate superior security practices at the same time, Fannie Mae opted to shift to DevSecOps.

By integrating development, operations, and security all at once, the company enabled a quick, iterative development process with security checks at every stage.

Consequently, this decision led to a doubling in the speed of update releases. This means Fannie Mae can rapidly adapt its services to please customers, whilst building trust through its enhanced security processes.

Verizon

In the midst of extending DevOps throughout the organisation and planning an expansion into the cloud, Verizon was eager to more thoroughly integrate security practices into company processes.

To make this a straightforward transition, Verizon created a bespoke developer dashboard programme focusing on vulnerabilities. This dashboard, which earned the company a CSO50 award for security innovation, shows how and when vulnerabilities are introduced to the code within the business.

Rather than having to monitor multiple dashboards for security insight, the dashboard gives developers a real-time view of any bugs that may have been included in their code. By integrating accountability for vulnerabilities, the company has incentivised strict security practices.

Pokémon Go

The Pokémon Company maintains the hugely popular Pokémon Go mobile game, alongside developer Niantic. This means that the company deals with some of the most sensitive data around – children’s information.

With this in mind, the company was focused on engineering a cultural shift that sees security as a top priority across the whole organisation.

After realising that security is often regarded as a block to development goals, the Pokémon Company re-orientated its priorities to focus on business enablement, and to approach security from this angle. So, instead of being a niggling message about what the business can’t do, security is an independent, crucial focus to bolster parent (and customer) confidence and avoid long-term reputational threats.

This has been a huge success, encouraging the whole organisation to pay closer attention to security. For example, security analytics tool Sumo Logic, which was primarily introduced for the security team, is now used across the business, including by DevOps teams.

Microsoft

To keep security at the forefront of development and the wider business culture, Microsoft focuses on consistent, continuous training. Its long-term Strike training programme helps developers and engineers to understand the threat landscape, and the reasons for these security practices.

Rather than coming across as opaque commands, this allows everyone within the organisation to make clear sense of security.

Meanwhile, security teams regularly meet and review operational and service security at monthly ‘Red Zone’ meetings.

By putting solid meetings and training processes into place, Microsoft can keep security front-of-mind for everyone. This helps to foster collaboration across teams, ensure products are more secure, and make everyone’s lives a little bit easier.

Learn from the best

One thing that’s clear from all of these examples is that to make DevSecOps work, full and permanent cultural change is required.

This can then be aided and abetted with new tools for developers and security teams, changing explicit business priorities, and introducing continuous training and collaboration sessions. All of these changes are important factors for building security into the heart of a DevOps environment, and ensuring that it stays there.

You can learn all about the need for DevSecOps, how to implement it, and businesses who have fallen foul of insecure DevOps practices, in our whitepaper, ‘DevSecOps: How to enable security without compromise.’