In this chapter, the authors describe the findings and conclusions on “The SecDevOps Capability Artifact.” It is validated by means of an extensive academic literature review and interviews with multiple domain experts and practitioners. An additional validation was performed by comparing the findings of this study with high-level implementation and operational guidance of the DoD enterprise DevSecOps reference design report. The report has as a purpose to describe the DevSecOps lifecycle and supporting pillars, in line with NIST cybersecurity framework, which is a high-level framework building upon specific controls and processes defined by NIST SP 800-53, COBIT 5, and ISO 27000 series. This chapter is concluded with a pragmatic set of core practices academics, and practitioners can use them to ensure security compliance in CI/CD pipelines that ultimately enable teams to work agile on digital platforms.
TopFindings
This research investigates a challenge large regulated organisations are exposed to: how to increase the speed and quality of delivery, using DevOps, while remaining compliant with the applicable security standards and regulations? This question is particularly relevant since the speed and flexibility propagated by DevOps are often contradicting the core controls addressed by security standards: segregation of duties, change control, network segregation, etc. On the contrary, certain DevOps objectives are simplifying the implementation of security controls through development process automation, continuous monitoring, earlier integration of security requirements into design, etc.
In the previous chapters we investigated whether DevOps is at the end an opportunity or a risk to security compliance. The answer to this question definitely depends on the compliance requirements applicable to a specific organisation, but in general, certain aspects of DevOps are an unmistakable benefit, while other aspects require a detailed review and fine-tuning in order to comply with security regulations.
We selected ISO 27002 and NIST SP 800-53 as the reference security standards for this research effort, since both standards are widely known an applied within European as well as US organisations. Furthermore, both are sufficiently detailed in terms of the controls covered to be able to relate them to DevOps controls. For each standard, a study of the controls is conducted to evaluate the impact of DevOps. At the same time, an extensive literature review of almost 100 scientific papers provided a good view on the relevant DevOps control objectives and the corresponding controls. It allowed to perform the mapping between the impacted security controls and (Sec)DevOps controls objectives. From this mapping we learned which (Sec)DevOps control objectives impacted the security compliance in either positive (Opportunity) or negative (Risk) way. Furthermore, the literature provided a good overview of (Sec)DevOps controls that can mitigate the abovementioned security risks. The results of the literature review are validated against the results of a number of interviews with subject matter experts, leading to the formalisation of the conclusions in SecDevOps Capability Artifact. The capabilities highlighted in the artefact are shown in Figure 10. The figure indicates the relationship between the major capabilities and the phase in the SecDevOps Gartner’s toolchain where they belong. Finally, DoD Enterprise DevSecOps Reference Design recommendations are reviewed in the light of SecDevOps Capability Artifact to verify that they effectively confirm our findings.
What is true for many transformations, also applies in the case of SecDevOps - it impacts the security compliance from People, Processes and Technology perspectives:
- •
People. SecDevOps significantly changes the way in which security is integrated into the development process, which requires the introduction of new types of security roles within the organisation. Also the focus of the existing roles is shifting and, therefore, there is a need for training at different levels: from generic security training for team members to dedicated specialist training for technical profiles (e.g. developers, architects, operations, etc.).
- •
Process. SecDevOps is often introduced in the organisation together with the move to Agile software development. Therefore, it is not always easy to distinguish the process impact of SecDevOps as opposed to the impact of Agile. In general, it impacts the traditional segregation of roles, the rights each role gets within the software development and deployment chain, as well as the way in which software is designed and released.
- •
Technology. The most significant contribution of SecDevOps to the changing way we do security is due to the extensive use of automation. Automation and technology create almost endless possibilities to speed up and to improve the quality of the traditional time consuming processes such as documentation, change management and control, capacity management, event logging, monitoring and reporting. SecDevOps allows to automate many of these steps through CI/CD, build intelligent controls and alerts within the deployment pipeline and allow for automatic actions in case of failure (e.g. automatic release roll-back).