To fulfill the promise of teaming for shared responsibility, DevOps and SecOps should align on three key objectives: collaboration, communication and integration.Collaboration DevOps is a process for software development that emphasizes collaboration between an organization's operations, development, testing, and support teams. The focus is on reducing time to market and improving agility through rapid development and rollouts. However, before the process of development can begin you need to start with a plan. At the planning stage of development is where security and compliance can already be incorporated. Tugboat Logic’s Virtual Security Officer Platform enables an organization to build a system of record that can implement and orchestrate the SecOps portion of the development plan. Policies and controls can be widely disseminated across product and engineering teams to document the intention of controls, define their implementation and enable teams to collaborate with comments and feedback in one hub. Communication
Equally vital is the need for security practitioners to be able to bridge the communication gap that exists between the security function and the rest of the dev organization. Compliance and security can be viewed pejoratively by other teams because people don't understand it or see their materiality to users’ lives. But this too can be changed.
For example, instead of talking about a breach or a vulnerability, it's better to talk about a security risk in terms of project delays and unplanned, unscheduled work. When speaking to operations teams, it's better to talk about availability and user privacy requirements as correlated with mean response time or system uptime rather than a data breach."Organizations will see more ownership at the coalface of risk management and it will be teams, not lone geniuses solving problems," Herbert says. The teaming of DevOps and SecOps is the key to making security just another product requirement task and a natural business condition for the company. To succeed in a world that's moving at the speed of DevOps, security groups need to be able to articulate control requirements in both the language and tools that DevOps lives in, such as Jira and GitHub. Tugboat Logic enables information security principles to be extended from an IT control directly into a task or issue within Jira. Once DevOps has closed out an issue, the Tugboat Logic Virtual CISO Platform can update its status as “complete” and enable an auditor to verify implementation status. Integration The high degree of automation and workflow tools in DevOps is often its most radical process departure for security practitioners. The critical success factor for integrating security and development operations is to make control implementation easy and clear for developers to follow. For example, if the team is working toward a SOC 2 security certification, then a clear control framework broken down into tasks and issues will ensure a smooth integration of security into the dev cycle. Tugboat Logic’s Security Certifications module is an example of how to define requirements for achieving readiness for a security certification with controls gap analysis and audit-ready verification status in one place. "The fact is that if you set the parameters right and the controls right, by automating you will actually have better security," notes Alan Shimel of Devops.com. "You have less human error, less drift," because everything is configured to specifications that have already been proven secure and approved by the business. Shimel continues: “When you combine code injection analysis tools and automated penetrating tests earlier in the development process, it makes it possible for organizations to identify and eliminate security issues at every step of the development process.” Bringing it Together The truth is that automation and velocity in DevOps is fundamentally driving the business forward and security needs to automate as well. The key to tying together security and development operations is the orchestration and demystification of security and compliance for the entire dev team. If you make it easy and clear for developers to integrate security, you’ll have a more secure product and organization. Tugboat Logic provides you the necessary glue to connect the different worlds of DevOps and SecOps.