In the realm of DevOps, automation is required to scale, but in his talk at the 2018 Security Congress, Mike Shema, CISO at Cobalt.io, said that DevSecOps is about people.
“DevOps is critical in the sense of introducing automation. Automation is important for managing complexity and minimizing human error, but the security team needs to be thinking about how to work with the DevOps teams so that they have an appreciation for security,” Shema said.
In the end, the apps that DevOps are building are being created for people, so it’s important to be working with them, working for them and building for them. While it’s easy to dismiss users and their behavior as foolish, it’s also sometimes true that developers are lazy and both behaviors create risk, Shema said.
In order to bring security to where the developers are, there needs to be a common language, particularly in meetings. By focusing on communication and having a clear framework for what needs to be discussed, Shema said, it is possible to turn DevOps in to DevSecOps.
“Putting security in the middle is intentional because you can’t tag security on at the end. Security is what ties the two together,” Shema said.
A good sense of a shared vocabulary between developers and security does exist with OWASP. “Those are really quick, off-the-cuff terms we can throw out so security practitioners and DevOps teams can quickly understand whether something is high risk or low risk, but there is a need for having a shared vocabulary in the meetings with DevOps in order to make the meetings more successful,” Shema said.
Different end users pose different risks, so the teams need to have discussions about the different ways to look at threat models that include the end user. To that end, Shema offered suggestions on how to make meetings more successful.
“Things like tabletop role-playing games that promote social interaction. They require people to get together and move toward a common goal,” he said. In many games, players encounter fights that happen between monsters and heroes, and they learn the skills necessary to overcome different challenges. Those skills translate over to dealing with people.
The coder or sysadmin play the barbarian, DevOps becomes the fighter, red teams morph into thieves while blue teams take on the role of clerics and the CISO plays the bard.
“It’s about ensuring that everyone gets a turn around the table so that there’s not one person monopolizing the conversation. When a single person is the only one talking, it erases other people’s voices,” Shema said. "Having an agenda keeps the meeting focused and avoids people going off topic. Then you can pull people in to make sure their voices are heard."
While these tactics are not revolutionary, Shema's purpose is to remind DevOps to rely on people when it comes to security policies.