Examining Gartner’s 12 Things to Get Right for Successful DevSecOps

“Integrating security into DevOps to deliver DevSecOps demands changed mindsets, processes, and technologies. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent.”

According to the Gartner report, DevSecOps quickly became one of the fastest-growing areas of interest in 2019, with evolving and successful DevSecOps initiatives that left analysts and other leaders in security and development with interesting learnings.  Gartner’s most recent report — 12 Things to Get Right for Successful DevSecOps — gathers these learnings and provides insightful analysis.

Navigating an organizational change toward DevSecOps can be complicated, involving numerous teams, moving parts, and even new tools. Gartner’s analysts were able to pinpoint the most common challenges and provide recommendations to organizations looking to scale DevOps.

Topics discussed in the report include:

• Adapt your security testing tools and processes to the developers

• Quit trying to eliminate every vulnerability during development

• Focus first on identifying and removing known open-source vulnerabilities

• Don’t expect to use traditional DAST/SAST without having to make changes

• Train developers on secure coding, but don’t expect them to be security experts

• Adopt a security champion model and implement a simple security requirements Gathering Tool

• Secure and apply operational discipline to automation scripts and infrastructure security posture

• Implement stronger version control on all code and components

• Apply secrets management

• Adopt an immutable infrastructure mindset

• Rethink how service delivery incidents are handled

• Use dynamic access provisioning for developers in DevSecOps

We expand on three of the twelve below but encourage you to read the entire report to get a holistic view of the best ways to approach these practices in your own organization.

Adapt your security testing tools and processes to the developers — not the other way around

A fundamental principle of DevOps, and one of its best known, is the goal of moving work through the system as rapidly as possible. Less well-understood, but crucial to DevOps and application security, is the principle of providing feedback to developers at an equal pace, and as early in the process as possible.

The current antiquated approach to information security needs a facelift. But changing an organization to embrace DevOps isn’t easy, it's a process that relies on an adaptable developer team and cooperative ops and security teams willing to pass down their knowledge. But once a new process has been implemented, developers can secure their applications as they build it and at their pace, streamlining the entire process and paving an easier path to compliance.

This developer-first approach also requires an audit of the security solutions currently available in the toolbox. Such solutions must, first and foremost, be aimed at the developer as the key user, even if such a tool comes from the security team’s budget. Over time these solutions will become the new normal, setting the standard for our future approach to DevOps.

Focus first on identifying and removing known open source vulnerabilities

There is a famous, centuries-old quote from Voltaire, “Loosely translated, it means “perfect is the enemy of good.” This is as true now as it was centuries ago, especially in the world of digital business, where information security’s drive for perfect security is at odds with the business and developer’s need for speed and agility.

Once the right tools are put in place, it can be easy to fall into the thinking that every problem will be identified and fixed immediately. Even with the streamlined process that DevOps brings to an organization’s security, this simply is not the case. The situation becomes even more frustrating when teams run their initial tests, face a stack of vulnerabilities, and are left with the question “well what do we fix first?”

Much like Gartner, we recommend taking that stack and creating a more manageable prioritized list for developers.

Adopt a security champion model and implement a simple security requirements gathering tool

Security champions can reduce the perceived complexity of secure coding by providing immediate, real-world examples in the team’s code and focusing on immediate remediation, rather than more abstract, less-relatable issues.

A great example of security champions is Revolut’s success in implementing the practice throughout its organization. The company saw an improved approach to security almost immediately and credited a lot of that to finding Snyk — a partner with the ability to integrate into the company, not just technologically but also culturally.

This blog post only scratched the surface of the helpful insights this report has to offer — there are still so many recommendations to explore!