DevSecOps: How to Deliver Security at DevOps Speed

SAN FRANCISCO—The emerging of idea of DevSecOps is all about integrating security as part of the developer and operations workflow, but how is that actually achieved within a large organization?

In a session at the RSA Conference here this week, Steve Martino, senior vice president and chief information security officer at Cisco, explained how his organization has approached the challenge of being able to deliver security at DevOps speed. In a video interview with eWEEK, Martino provided additional detail on how the process works within Cisco now and what the direction will be in the future.

"It's about DevSecOps, and it really came out of work that we were doing internally to enable our business to build more adaptive, faster solutions for our customers," Martino said.

DevOps is an approach where development is closely tied with operations, as opposed to a more traditional approach where development and operations are siloed efforts. Martino said that while the concept of DevOps has many benefits, it is often lacking when it comes to security.

"We think of it as DevSecOps—how do we insert security as part of the development and the operations, gluing the two together in a better, more integrated way?" he said. 

How DevSecOps Works

Martino said DevSecOps is not about a proscriptive set of requirements that are dictated to developers and operations teams. Rather, Cisco is building security as code for the engineering and operations teams that is delivered and consumed, much like a product.

Part of the product deliverable is provisioning secure development environments for developers that are already integrated with single sign-on, hardened operating systems, proper network controls and enterprise security policies. Since Martino's team is providing the environments, they are able to detect potential anomalies in the infrastructure and identify bad behavior from attackers.

For existing environments, Martino's team provides a set of scripts that helps harden the developer environment. New teams go to the internal Cisco eStore and are automatically provisioned with the resources they need either via an internal Cisco cloud or via a pre-negotiated public cloud instance.

"So the teams can go faster and are more secure," he said. "We get the data we need in a more effective way, and we have seen a reduction in [security] incidents because the teams have built things the right way."

Some advocates of the DevSecOps approach start with integrated code scanning as part of the continuous integration/continuous development (CI/CD) pipeline. Martino said that Cisco is taking a crawl, walk, run approach, first making sure the development environment is secure. Looking forward, the plan is to provide additional scanning capabilities.

"If I didn't set up the environment securely, then scanning the code doesn't really matter because somebody could already get into the environment, abuse the environment and do something," Martino said. "We have started at the beginning, but we are integrating a number of analytics tools and third-party scanning so we know what software is present and if there are vulnerabilities."

Watch the full video interview with Steve Martino above.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.