Collaboration: A Key Component in Maximizing the Potential of DevSecOps

Cyber security technology

In June this year, Red Hat and Singapore’s national defense R&D organization, DSO National Laboratories (DSO), announced their collaboration to build new DevSecOps capabilities. In a press release, Red Hat hailed the partnership as a demonstration of the importance of collaboration in leveraging DevSecOps for national defense.

Meanwhile, DSO CEO Cheong Chee Hoo said that the collaboration will significantly advance the organization’s knowledge and capabilities in the latest DevSecOps practices. DSO expects to develop and provide new solutions for enterprise and mission-critical IT systems.

This collaboration is a welcome development showing how security organizations can work together to improve cyber defenses further. However, it is important to realize that DevSecOps itself is also about collaboration. Development, security, and operations teams work together to bake security measures and controls into software throughout its development lifecycle.

Collaboration in DevSecOps

DevSecOps is not just a mere guideline or suggestion on how organizations can proceed with a project. More than serving as a framework for security-driven development, it requires everyone involved to earnestly work together towards common goals. Siloing should be eliminated. Teams must not be competing against each other. Instead, everyone needs to know and understand their roles and work cohesively to attain the desired security integration throughout the entire process.

Shifting security left or becoming mindful of security as early as possible (before the testing phase) calls for a clear understanding of new roles among teams that previously were not involved in security concerns. Without proper collaboration, it would be difficult to pull DevSecOps off. This collaboration goes hand in hand with effective communication and education. It is essential to communicate the plan to adopt DevSecOps and provide corresponding education such as seminars, training, or orientation.

Moreover, teams need to work closely with each other to integrate the right tools, especially when automating CI/CD pipelines. There are application security tools or processes involved in DevSecOps. These include static application security testing, dynamic application security testing, interactive application security testing, and source composition analysis, which are used in different stages of the development lifecycle. They have to be implemented collaboratively, not just arbitrarily assigned to different teams without consultation.

Collaboration is the highlight of DevSecOps

Collaboration provides the cohesive support and stability DevSecOps needs to be effective. It is particularly important in the following aspects.

Sharing of knowledge and expertise

DevSecOps does not automatically make everyone adept in security. Teams that work in the earlier part of the development process expectedly lack security expertise and experience. This does not mean that they are uninformed about security. Developers certainly understand the basics of software security. However, they have to defer to the expertise of those who specialize in security and have been working on it for a long time. They need to collaborate with experts to spot security issues and formulate the appropriate solutions.

Reciprocally, the security team also learns something from developers. The collaboration allows them to get a better grasp of application requirements and the challenges developers encounter that may make it difficult to integrate security measures. They exchange insights on reconciling conflicting options and come up with decisions to resolve security questions in ways that satisfactorily address all of their concerns.

Security assessment agility

Agility is one of the expected benefits of adopting DevSecOps. Through collaboration, different teams become more prepared for threats. They become more cognizant of threats and possible attacks as they share information and maintain good communication with each other. The attention to security details from the outset results in more rapid issue detection and remediation. Continuous security assessments are undertaken as the software project proceeds and also as the final product evolves.

Additionally, the close coordination between the developer, operation, and security teams enables proactive vulnerability detection and identification. Teams do not simply rely on rules and threat intelligence. They can anticipate possible security weaknesses and quickly develop and implement the most suitable solutions, including security patches.

Automation and integration

Security teams do not have mastery of all processes in the software development lifecycle. They need to work with the development teams to find specific processes that are compatible with automation. Automation usually targets security testing, code integrity or quality analysis, and vulnerability scanning. The insights provided by development teams help in determining the best approaches for automation

Moreover, cross-functional collaboration provides well-informed decisions on the best tools to use. By involving all stakeholders in tool evaluation, there is a reasonable expectation that the features and functions of the tools chosen match the specific needs of a project while meeting security objectives.

Implementation of security-as-code

DevSecOps promotes the concept of security-as-code, wherein security policies, vulnerability scanning, validation systems, and other security mechanisms are made part of the code to make sure they are enforced at all times. This ensures strong and consistent security that is not easily affected by user decisions and external factors, especially those coming from threat actors. Additionally, security-as-code supports the implementation of scalable security practices across the entire organization.

The security team may not have the expertise and experience to translate security principles into code. They need to work with the development team to determine if their ideas are viable and provide inputs on building security controls. Once the relevant code components are completed, the security team then evaluates if the resulting code is in line with the functions they are looking for and if it works effectively.

Building a DevSecOps culture

Lastly, collaboration is crucial in building a DevSecOps culture. It supports continuous improvement through feedback loops. Open communication between teams in a project enables regular security policy assessment and improvement. It also makes it easy to identify areas that can still be improved, allowing the organization to evolve together with changes in the threat landscape.

Switching security left is not achievable overnight. Organizations have to go through a transition or acclimatization period, which can become confusing and chaotic without systematic coordination and collaboration. By working closely together, development, security, and operation teams build rapport and cross-functional relationships that maximize their respective proficiencies. All of which are advantageous to development projects and the organization in general.

The inevitability of collaboration in DevSecOps

DevSecOps entails the integration of security practices and principles into the software development lifecycle to ensure that security is taken into account as a project goes through development. As such, it requires collaboration and a sense of shared responsibility among all teams involved in a project. It is not possible to unify development, security, and operations without bringing together the people behind these teams as a cohesive unit bound by common goals and the willingness to embrace changes for the better. It is unlikely for DevSecOps to deliver the benefits of enhanced security posture and secure software products without collaboration.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.