Share the journey
Throughout the continued journey of implementing and maturing a DevSecOps model, sharing successes and lessons learned can help everyone improve. The following are examples from organizations who have adopted DevSecOps and have worked to achieve higher levels of maturity.
DevSecOps in Auth0
- Creating a “frictionless” experience for cloud developers
- Leveraging data analytics
- Risk prioritization early in the SDL
- Cooperative enablement, flexible development practices
Since its earliest days, Auth0 has heavily leveraged AWS cloud infrastructure to deliver identity management solutions to their customers. Through their rapid growth both in organizational size and service offerings, Auth0 has had to meet the challenge of ensuring their cloud infrastructure is secure. Duncan Godfrey, Senior Director of Security and Compliance recently appeared on The Secure Developer podcast and discussed their strategy for ensuring the security of that environment.
A dedicated cloud security team within Auth0 is responsible for ensuring the security of the AWS environment. However, to ensure that the team did not fall into a traditional SecOps mindset, automation with a focus on monitoring has been keenly important for that team. According to Godfrey, “The charter of that team is to ensure that we’re collecting data from every possible facet and nook and cranny of AWS and pulling that in for analysis.” The result of this focus is that the team has touch points with the development teams that are functioning in a DevOps model. They’re able to achieve greater overall visibility by establishing that collaboration with the DevOps teams.
For Auth0 and their cloud security team, creating a “frictionless” experience for the developers is crucially important. Security integration begins early in the SDL with a short form that helps guide how much collaboration will be needed with the security team. High risk functionality, such as exposing public endpoints, are supported with a greater degree of security involvement. “Working them through so hopefully upfront we have the requirements in place and the good controls in place that we end up with good secure software, and then at the end we’re running some more tests.” according to Godfrey.
The overall culture at Auth0 is clearly one of cooperative enablement. Ensuring that developers are free to create software in a method that fits their needs but also demonstrating maturity in security practices. This has helped Auth0 continue to leverage new technologies while maintaining a confident security posture.
DevSecOps in Segment
- Walk a mile in the developer’s shoes
- Embracing infrastructure as code to enable DevSecOps
- Ensuring new tools are usable by developers
- Cross-functional embedded resources
On a recent episode of The Secure Developer podcast, Leif Dreizler and Eric Ellett talked about the importance that customer data platform provider Segment places on the collaboration between development, security and operations resources. Segment doesn’t do sprints across their organization, instead teams operate independently. However, through a consultative model, the security team is still integrated early in the development process to provide threat model and design review capabilities.
At Segment, the idea of establishing empathy is baked into the culture of the security team. Within the team, Segment has employed a concept of “Walk a mile in the developer’s shoes”. Ellett explained that the security team goes to great effort to understand how their security processes impact other areas of the organization. For instance, when they sought to roll out Multi-Factor Authentication, Dreizler spent a quarter embedded with the development team. This provides the security team with invaluable context on the challenges that the development team faces in terms of what they’re trying to protect.
However, the collaboration focus doesn’t end there. Ellett explained that there is the intention that similar initiatives would happen in the other direction. The plan is to bring people from other areas of the organization to sit with the security team and understand their world as well. Dreizler stated, “I think that this is what the goal of DevSecOps should be. Similar to DevOps, where you have operations people learning how to code and now everything at Segment’s infrastructure is code.”
Segment also firmly believes in creating the “paved road”. A guiding principle that the Segment security team operates under is “Would this tool be used by the developer”. In other words, there’s a keen focus on ensuring that adoption of security controls is enabled by ease of use. The ultimate focus, according to Dreizler, is “Just make it as easy as possible for people to do what the right thing is.”
Through this cooperative and empathetic approach, Segment has been able to grow a strong culture of collaboration in their organization — an example of how the promise of DevSecOps can be realized by ensuring all functions are aligned in their goal to do what is right for the organization.