DevSecOps: Security at the Speed of Business
[This is part two of a four-part blog series about DevSecOps.]
In Part One of this blog series DevSecOps – Win Win for All, we established a foundation for DevSecOps practices with our Cloud Security Manifesto. In Part 2 of this series, we will describe another key aspect of DevSecOps – developing security guardrails with a hands-on approach via Agile hackathons.
DevSecOps is about bridging DevOps workflows with Information Security (Infosec) Operations by embedding security as code during development, validation during testing and leveraging automation to run continuous operations. From many years in IT, we know that it’s a good idea to first prove ideas manually before we automate. Agile security hackathon is how we bring in participants from relevant disciplines within Information Security and application teams to first go through a set of implementation steps to configure the most important security requirements – the guardrails. With the winter Olympics in progress, this is akin to the guardrails that help a gravity powered Bobsled go faster along iced tracks in a safe manner.
Defining Security Guardrails
The DevSecOps practice was built on Amazon’s Web Services (AWS) platform as our first target environment. Security in AWS is a shared responsibility model. While AWS provides assurance around the physical security of their Data Centers and security of their service offerings, it is Cisco’s responsibility to secure Cisco’s offers hosted on AWS. It’s important to ensure that controls are in place for administration of the environment, asset exposure to the internet, and that there is continuous visibility to the security posture to continuously detect and respond to any anomalies.
With these considerations, the following guardrails were prioritized for the hackathon.
These guardrails enable the Cloud offering teams to confidently build and deploy their offers more quickly and demonstrates two key principles in our Manifesto – #1 “Collaborating to Securely Enable Business over Mandates” and #7 “Defense in Depth, Proactive Detection and Quick Recovery over Assumed Perfect Security.”
Agile Security Hackathon
There is a saying that ‘while in Rome do as the Romans do’. For Infosec teams to embrace Security as Code, they need to do as Agile and DevOps teams do. That means bringing multiple functions within Information Security together to collaborate as one team and learn to build and operate iteratively delivering value with each iteration. This started with our Agile Security Hackathon where we brought together a dozen members from different parts of the InfoSec team with a few Cloud Offer teams to participate in a two day hackathon.
The hackathon runs as multiple sprints that take place concurrently, with four small three member teams. The sprints are 90 minutes long where the team implements one of the guardrails, tests them and documents the how-to. After each sprint, the entire team is given a 60 minute read-out along with the Product Owner issuing a definition of done when the guardrail meets all acceptance criteria and can be closed by the Scrum Master. The teams also cross validate the implementation of the guardrails. This helps the entire team be knowledgeable and support the users in true DevOps fashion. The sprints – readouts cycle repeats continuously throughout the day, and by end of each day, retrospectives are held to continually improve the hackathon experience and deliverables.
At the end of the first hackathon, the team delivered nine out of the 10 guardrails – success in our books for sure. We have since completed five hackathons and delivered on multiple use cases, and that’s a sure sign of a new norm, a new culture.
In the next part of our blog series, we will share more on how we automated the Guardrails delivering on a few more elements of our manifesto. Please stay tuned and in the meantime we welcome your comments.
Visit trust.cisco.com for more information on how we protect Cisco our customers and our solutions.