You can’t have security for DevOps until you have DevOps for security

The faster we iterate on refining secure development practices, the faster our developers can address security pain points, and the better we protect our customers.

Bryan Sullivan
4 min readintermediate
--
View Original

Overview

The article emphasizes the importance of integrating DevOps practices into secure development to enhance security measures effectively. It presents a framework used by the One Engineering System (1ES) Security team at Microsoft that focuses on rapid iteration and validation of security practices.

What You'll Learn

1

How to apply lean product development principles to secure software development

2

Why rapid iteration is crucial for addressing security vulnerabilities

3

How to set SMART OKRs for improving security practices

Key Questions Answered

How can DevOps practices enhance secure development?
Integrating DevOps practices into secure development allows for rapid iteration on security measures, enabling developers to quickly address vulnerabilities and improve overall security. This approach fosters a proactive rather than reactive stance towards security issues.
What framework can be used for implementing security in DevOps?
The framework includes setting a SMART, business-goal-oriented OKR, developing and validating problem hypotheses, and creating solution hypotheses to address identified issues. This structured approach helps teams focus on effective security practices.
What was Laura's approach to improving fix times for vulnerabilities?
Laura set an OKR to improve fix times by 20% and discovered through analysis that late alerts in the DevOps lifecycle were a major issue. She developed an IDE plug-in that alerted developers early, resulting in a 30% reduction in fix times.

Key Statistics & Figures

Improvement in fix times
30%
This was achieved through the deployment of an IDE plug-in that alerted developers to vulnerabilities early in the development process.
Target fix time improvement
20%
Laura set this OKR for her organization to enhance their response to vulnerable packages.

Technologies & Tools

Software
IDE Plug-in
Used to alert developers about vulnerable packages early in the development cycle.

Key Actionable Insights

1
Implement a rapid iteration process for security practices in your development workflow.
By adopting a lean approach, teams can quickly identify and address security vulnerabilities, improving overall product security and responsiveness to threats.
2
Set clear, measurable objectives (OKRs) for security improvements.
Establishing SMART goals helps teams focus their efforts and measure progress, ensuring that security practices evolve effectively over time.
3
Engage in regular telemetry analysis to inform security practices.
Using data to understand the effectiveness of security measures allows teams to pivot strategies quickly and address issues before they escalate.

Common Pitfalls

1
Failing to integrate security practices early in the development lifecycle can lead to delayed responses to vulnerabilities.
This often happens because teams focus on shipping code quickly without considering security implications, resulting in vulnerabilities being addressed too late.