The demanding speed of today’s development cycles and flexibility of IT infrastructure provides a huge opportunity to move faster not only for the development teams, but for the security team as well. DevSecOps, specifically – the early integration of security into the development and deployment processes – allows even large organizations with large infrastructures to remediate security threats and exposures faster and in a fairly automated manner, speeding up deployment and release times and simplifying infrastructure and application security changes.
Let’s take a look at three large companies that made the transition to DevSecOps. All three companies confirm that embracing DevSecOps has improved their organization’s performance at every level, empowering their teams, and enhancing productivity.
Fannie Mae used to introduce security very late in their development process, and so vulnerabilities and risks were not addressed on time. Furthermore, they didn’t provide a good customer experience and lacked customer feedback because it wasn’t built into their development process. For Fannie Mae, embracing DevSecOps seemed almost inevitable and has put them on top of the game. Chitra Elango, Cyber Security Manager at Fannie Mae comments, “Security is everybody’s problem. You have to teach the developers about security. We empower our developers by training them. We help them write secure code within their application.”
Fannie Mae started focusing on customer experience to enable their business partners to deliver new releases faster using DevSecOps. This allowed them to double the number of releases by reducing the length of time of the releases using rapid prototyping in order to get feedback and automate security testing in the process.
Working in a DevSecOps environment allowed Fannie Mae to use tools and strategic initiatives to deploy new systems to get feedback, go live in production, and remediate vulnerabilities within the development process at a much faster pace. And this helped build trust and confidence with their customers.
In an effort to reduce the number of security vulnerabilities in their products, Paypal embedded several repeatable proactive security practices in their product life cycle. . “We wanted to make it incredibly hard for our developers to shoot themselves in the foot when it comes to security,” said PayPal’s Laksh Raghavan, Senior Security Strategist in the Information Risk Management area.
Adopting the agile methodology and transitioning to DevSecOps like a hurricane, Paypal had to shift their mindset from being project-driven to being product aligned in order to make usability and security equal priorities. “Change Champions” and “Transformation Team Members” were assigned to shepherd the organization through the process, which had an impressive planned timeline of less than one year.
They also instituted auto-enabled security controls, implemented secure frameworks and security tools, and used threat modeling for uncommon features and web or mobile apps on their standardized, secure frameworks. To make things easier for their development team, PayPal created actionable security stories in developer lingo, not security lingo. They added clear usage guidelines and provided secure code snippets. Developers also had autonomy to implement well-established patterns and approved security controls.
Finally, PayPal’s strategy also included institutionalizing risk-based thinking and processes, requiring security to be integrated by default at all layers, and they focused on automation – they put their bots to work.
Their success can be measured in Paypal’s wide adoption across their product development organization, and improved efficiency and early engagement meant that few projects were affected by security roadblocks during launch.
“Security at Allianz needed to change,” explains Jon Allen, Information Security Manager at Allianz, “because security basically only came in at the very end of development and the attitude towards security was on the lines of ‘we're going live and security just needs to do what it can.'”
Fixing security vulnerabilities was a slow process and was always someone else’s problem. Creating automated testing tools and remediation plans was just too hard. Allianz’s infrastructure and applications needed an upgrade – a difficult task in an enormous organization like Allianz, especially when IT Security was outsourced.
Allianz had to transition to DevSecOps or fall behind.
For a large company like Allianz, transforming to a DevSecOps environment was never going to be easy; it was important to start with a low-risk product. They needed to do it well, do it quickly, and do it securely.
They began by adding security into organizational language and culture and by changing their internal security ethos. But for real success, Allianz engaged stakeholders, added security skills to developers, and business skills to security pros – which all worked towards building and increasing trust.
Allianz also added pen-testing into their DevOps process so developers could quickly fix security vulnerabilities and produce clean, secure code. They educated and empowered their team, focused on security engineering, business risk assessments and threat modeling, and they built static application security testing into their pipeline, which made a huge difference in roll-out speed.
Since launching DevSecOps, Allianz vulnerability remediation times are down and the team is moving forward with implementing DevSecOps across the organization.
Moving to DevSecOps
Perhaps the greatest challenge of injecting security into DevOps is changing the organizational mindset. But despite the challenges, DevSecOps is an inevitable direction for large organizations that want their brand to spearhead the market.
It is clear that Fannie Mae, PayPal, and Allianz now benefit from empowered, collaborative teams which are capable of remediating security vulnerabilities early in the production process; they deliver secure code at speed, provide good customer experience, and build trust with their customers and also internally with their teams.