Updated: Oct 29, 2020
Are you responsible for security?
Even if it’s not in your title or job description, the answer is yes. Every employee is responsible for the security of their work. Unfortunately, many organizations don’t make this clear and don’t enforce it as policy. As vulnerabilities pile up on the desks of security engineers, developers wonder what’s taking so long – how many times does code have to be fixed before it’s deemed secure? DevSecOps flips traditional security on its head, but needs a strong security culture for sustainable success.
What is security culture?
A security culture means that everyone – from board members to interns – must care about security and take actions to maintain it. Security should be considered in every piece of work and at every decision.
This may seem counterintuitive and not the efficiency promised by DevSecOps. But by embedding security into every employee’s actions, the security team’s workload is streamlined and the end product is more secure. This is what companies mean when they talk about shifting security left: Bringing security forward in the software development life cycle to improve planning, test more code, and build accountability among non-security team members.
How to make security culture your default state
Unless you’ve included security in every employee’s onboarding, creating a widespread security culture mindset will be challenging. Employees will need to think differently, behave differently, and eventually turn those changes into habits so that security becomes a natural part of their day-to-day work.
6 Steps in creating a Secure Culture
Step 1: Culture change starts at the top
If your organization has left security to "the team," moving to a security culture will require board members and executives to be very involved in this change. Once execs are on board, work with thought leaders across the company to develop a security awareness and training program. Set the tone by making security a company-wide initiative, letting everyone know that security is top priority regardless of job function or organization.
Step 2: Awareness, education, and mutual understanding
Give employees training on how they should incorporate security practices into everything they do. Transparency is key to building trust, so it’s important that employees understand why security is necessary and how they can contribute to the overall goal. On the other side, educate security practitioners about the demands placed on the business and DevOps practices. This will help them help you create policies that move security and development forward together.
Step 3: Appoint security champions in dev
Some employees will adopt security enthusiastically. Recruit those people to champion awareness and adoption among their peers. It may be helpful to provide your security champions extra resources and educational opportunities to boost their knowledge and make them an accessible resource for those around them.
Step 4: Encourage cross-functional collaboration
Team members should feel comfortable reaching out across functions, asking questions, and sharing (non-sensitive) information. DevSecOps breaks down silos to create a more efficient process, but it also does this to improve communication and build camaraderie between teams. If security is made into a multi-team effort, employees will feel encouraged to jump on the secure work bandwagon.
Step 5: Give developers the tools they need
Security behaviors will be more readily adopted if they fit seamlessly into the developer’s workflow. Security as code plays a big role here: Developers can produce more secure work when policies, tests, and scans are integrated into the pipeline and code itself. Excessive tool-switching will negate the benefits of shifting left, so it’s best to maintain efficiency by keeping your tech stack as simple as possible.
Step 6: Automate when appropriate
Automation is crucial for scaling security and will make adoption even easier for non-security employees. Within the developer’s workflow, static application security tests can be run against every code commit. Those scans can automatically produce a work ticket or populate a security dashboard.
Culture change: Worth the challenge
Security isn’t an option: It’s a requirement. Security culture will always be worth the effort. Making security a top priority for the people in your organization will fortify your tech defenses and help you innovate in ways that will (hopefully) withstand the ever-changing threat landscape.
Licensed from https://about.gitlab.com/blog/2020/07/15/security-culture-devsecops/