DevSecOps the hard way: Part I

DIY security standard

This is the first blog in a series to share my thought on how to build a DevSecOps culture in an organization

Many businesses have started using DevOps/DevSecOps by adding many advanced tools, hoping they will improve security processes. But, the main thing to think about is checking current processes and combining them to make sure they work well with a fast and flexible culture.

Let's build a scalable standard

One of the key aspects of implementing DevSecOps is the integration of compliance and regulation requirements into the development process. By understanding the various regulatory frameworks and security standards relevant to your organization, you can create a single internal standard that encompasses all of them

This unified standard will serve as a guide for your development teams, ensuring that they are aware of the security and compliance requirements for their projects. This will also help reduce the risk of non-compliance, as developers will have a clear understanding of the expectations and guidelines they need to follow.

To create an effective internal security standard, consider the following steps:

Identify relevant regulations and security standards:

Start by identifying the various regulations and security standards that apply to your organization. This may include industry-specific regulations (e.g., HIPAA for healthcare, GDPR for data privacy), as well as general security frameworks (e.g., ISO 27001, NIST).

Map out your organization's security requirements:

Based on the identified regulations and standards, create a comprehensive list of security requirements that your organization must adhere to. This will help you understand the scope of your security obligations and prioritize the most critical areas.

Develop a unified security standard:

Once you have a clear understanding of the security requirements, consolidate them into a single, unified security standard. This document should serve as a reference for your development teams, outlining the expectations and guidelines they need to follow to ensure compliance.

Categorize the deviations by maturity level:

Different projects need different security levels. Make level 1 the basic security needed for most projects, and add stricter rules for higher levels. This way, developers can start with a few important requirements and not worry about many unfamiliar security rules at first.

Continuous Evidence & Compliance as Code:

Now it's time for tooling and hands-on, since we have the unified security standard, we can bring it to life with any state-of-the-art cool tech that you can think about, making it a part of DevSecOps strategy. There are some ideas to think about:

  • Build your own compliance portfolio as the golden compass and single source of trust for every consumer.

  • Embedding security assessment throughout the CI/CD pipeline

  • Continuous evidence with benchmark and data workflow

Continuous monitoring & improvement:

Another advantage of having a maturity level is that over time, an increasing number of security requirements will be updated to defend against new threats and attack vectors. This allows us to consistently stay aligned with new levels in your DIY maturity level. Similarly, a higher level from yesterday might be easier to implement today (particularly for those using public cloud environments), so it can be shifted to a lower level. In this manner, you can develop a scalable and sustainable security framework that can grow alongside your business