Compliance as code – Benefits of DevSecOps from a governance perspective

Blog

Compliance as code – Benefits of DevSecOps from a governance perspective

We see organisations in their DevOps journey struggle to embed security from the start. One reason is that each DevOps maturity level comes with certain security practices that result in better and more sustainable security outcomes. Fact is that there is no silver bullet for governing your organisation ‘the DevSecOps way’.

The benefits of DevSecOps in governance, metrics and compliance

Customer demands are rising, putting pressure on organisation to decrease their product’s time-to-market. As disruption becomes more pervasive, organisations need a new strategic approach—one that positions them to change course in real time based on current market realities. This puts high pressure on organisations to deliver secure innovations. In the paradigm of ‘speed over perfection’ regulatory obligations, internal control procedures and compliance requirements require solid governance and automated controls to increase auditability, reliability, and predictability. Considering this reality, corporate executives are more aware and see the high priority to invest in information security governance

Shift Security Left

This security trend fosters the ability to excel in the market and have outstanding security. It positions security as an integral part of the entire software development pipeline amongst others by performing manual (human) and automated security reviews and penetration tests before go-live. We see organisation in their DevOps journey struggle to embed security from the start. One reason is that each DevOps maturity level comes with certain security practices that result in better security outcomes .

Every organisation has its unique culture and vision, which are deeply engrained in the organisations DNA. This unique DNA however does entail that there is no silver bullet for governing your organisation ‘the DevSecOps way’. In this blog we focus on governance, metrics and compliance within DevSecOps.

Governance

Boards become increasingly aware of the risks organisations face in a digitalized environment and that security needs a holistic approach. The recognition that multiple views are required in the field of cybersecurity is also recognition that it should no longer be an IT specific concern. This means that the accountability and responsibility for security is shared across business, security and DevOps teams. The alignment between these departments is key to make the transformation genuinely successful. One cannot expect security to become an enabling factor in the organisation while Operations and Security are working in their respective silos. On the other hand, DevSecOps cannot be fully integrated when the governance style does not support this methodology to work.

What we see is that the security governance structure of organisations is not aligned with DevSecOps practices. Often inefficient metrics, outdated policies and compliance efforts are applied.

Metrics

A well-designed SDLC pipeline provides tons of valuable insights in your organisation. Key is to establish shared metrics to monitor and evaluate progress. DevOps already introduced various Deployment, Lead time and Mean time to repair (MTTR) metrics. To measure the effectivity of security practices, security metrics must be integrated into the process. These security metrics are designed to drive security improvements, not to blame teams and individuals on failure. The metrics should provide insights to product owners and higher management on how they can support, guide and enable their DevOps teams to improve for example their way of working, productivity and security know-how.

Establishing SMART metrics can be challenging, and one should be aware that security metrics should be aligned with your organisations security maturity level. The quality of the metrics is more important than the quantity. Regulatory (e.g. data breach response / reporting speed), compliance standards (e.g. MTBO, RPO) and baseline security metrics (e.g. incident response time, number of failed logins) are consulted to formulate necessary security metrics. Organisation in the beginning of their DevSecOps transformation could for example start with measuring the usage of security tooling in the pipeline, what kind of vulnerabilities and security issues are addressed (for example based on CVE number) and the ratio between features, fixes and security patches. Once your organisation becomes more mature, other metrics can be applied to support business decisions.

All these security metrics need to be translated into data requirements meaning the application has to be able to log certain data to measure certain security metrics. Learn from your metrics and identify trends to steer your organisation in its DevSecOps transformation.

Compliance

Organisations often react to stricter government regulations by making expensive ‘impulsive’ investments to reach compliance. DevOps focus on automation enables continuous compliance. Organisations should integrate ‘compliance as code’ to minimize the compliance burden. ‘Compliance as code’ means that compliance requirements are defined in a human and machine readable format, enabling automation and rigidity. By proper implementing quality gates and testing tools in your SDLC, compliance will not be a documentation centric endeavour of paperwork but automated reports, checks and balances from the tools in your delivery pipeline. Next to tooling, various processes need to be tailored to the DevOps way of working. We advise to start small (with pilots) and continue to build on the successes.

Going forward

Leadership buy-in and mandate are required to ensure the organisational security shift has board support and sponsorship. All layers in the organisation, horizontally as well as vertically, have to support the DevSecOps way of working and the principles that come with it. Only then can true collaboration take place and DevSecOps deliver on its promises.

If you want to enable your organisation to thrive in a high competitive industry with increasing customer demands and security risks, an organisational transformation towards DevSecOps through the pillars of governance, people, process and technology, is vital.

In our next blog we will discuss how to empower the most vital part of DevSecOps: The people.

More information

For more information about DevSecOps or Cyber security, please contact Jelle Niemantsverdriet, Gijs Zijderveld or Tom Zijderhand via the contact details below.

Did you find this useful?