Scaling for DevSecOps with the Norwegian Labour and Welfare Administration

Application development has changed, and development teams have begun supporting a model of rapid and frequent deployments to support the pace of innovation demanded by digital transformation. From an application security perspective, this means scaling through DevSecOps and supporting developer-first security.

The unique challenges and solutions for shifting to DevSecOps were the subject of a recent roundtable discussion featuring Aner Mazur, Chief Product Officer at Snyk and Christer Edvartsen, Sr. Software Engineer at the Norwegian Labour and Welfare Administration (NAV). Here’s a quick recap of the conversation.

The rise of dev-first security

Cloud native software development has dramatically changed the way companies build software, and in turn, the speed at which applications are built and deployed. As organizations undergo digital transformation and modernize their applications, developers are adopting microservices architectures, containerization, and infrastructure as code (IaC) to help speed application availability. This shift to modern software development, as illustrated below, puts more responsibility on developers than ever before.

The additional workload means development teams should be empowered to efficiently own the development process from end to end. But security wasn’t initially built into this DevOps approach, and traditional security audits became major bottlenecks to rapid development. This approach of “build first, secure later” needed to change.

A recent Snyk DevSecOps Insight report revealed that 33% of respondents feel that security is a major constraint on timely software delivery. What’s more, 81% of respondents believe developers should actually own security, but they aren’t well equipped to do so. In response, many businesses are listening more to developers and equipping their teams with cloud native application security.

“We basically always try to put the developers in the driver's seat,” Edvartsen explained. “So whatever our development teams want, that should be what we provide them. If there's a lot of people who want to use certain tools, then we should try our best to give them that. For example, Snyk enables their security needs.”

Transforming for cloud native application development

For NAV, placing more responsibility on developers didn’t happen overnight. The organization had been relying on a number of software development agencies creating custom code for their software supporting Norway’s needs. However, as more affordable cloud technologies became available, NAV began its shift toward a DevOps approach to meet these needs. This meant building out in-house development teams that could take ownership of the applications.

“We started this transformation quite a few years ago,” Edvartsen said. “Currently we have around 200 developers, 70 data engineers and around 70 designers full time. In addition to this we have around 150 external developers through consultant agencies. I am currently working with the platform team to create the infrastructure as code the rest of the teams use to deploy and run their applications”

This change in infrastructure ownership affects operations at least as much as it does security, and played a key role in the rise of DevOps. DevOps means developers and ops teams share responsibility for keeping the applications running and performing well. Ensuring open source application code remains secure is another layer of responsibility within these teams. Ownership of security was a central part of NAV’s transformation strategy to DevOps.

“We have security champions. They are not necessarily security experts themselves, but they are a part of the development teams’” said Edvartsen. “Currently, we have around 100 development teams and our end goal is to have at least one security champion per team. They will for instance oversee Snyk reports and flag issues when they occur.”

Powering developer-friendly security with integration

Scaling security can be a major obstacle for any development team. With 100 different project teams and over 300 distributed developers, NAV’s security champions could hardly keep up without proper tools. That’s why choosing the right developer-friendly tooling to implement new security processes is crucial for reducing friction.

The best tools for adoption are those that fit seamlessly into existing developer workflows and are easy to use. Integrating security tooling into the SDLC helps reduce the burden on developers by automating security within the supply chain.

"With all the integrations that we're currently using, empowering developers with security kind of happens by itself.” Edvartsen said. “Since we're using Snyk's integration, we're using a pull request workflow. We're getting Snyk reports, and security champions share it in Slack. It’s easy to integrate with GitHub and Slack, so developer empowerment happens automatically."

Creating self-sufficient, trusted development teams

With the rapid shift to DevOps and cloud infrastructures, organizations need a new approach to security, often referred to as DevSecOps. This approach champions self-sufficient teams and accelerates the business instead of slowing it down. In other words, it’s developer-first — and dev-first security means the majority of security work is done by developers.

Application development teams need to be self-sufficient and able to own these responsibilities, and be trusted by the organization — and the security team — to do so. With such ownership in place, developers can secure their applications as they build it and at their pace.

“It's really important to build trust within the organization,” said Evartsen. “Since we're also trusting our development teams to follow along on the Snyk guidance and other security issues, we need to trust that they're doing the right thing with regard to security.”

Implementing an efficient and protected DevSecOps approach to software development requires the right culture, tools, and processes. By choosing Snyk, NAV had a developer-friendly tool that integrated closely with its development workflow. Once NAV integrated the right tooling, empowering developers for security responsibilities happened without friction.

Want to learn more about NAV’s DevSecOps transformation? Watch the full webinar on-demand.