DevSecOps

Embedded Security Within the

Hyper Agile Speed of DevOps
Mark G. Moore, Managing Director, Deloitte and Touche LLP
Antonio L. Bovoso, Senior Manager, Deloitte and Touche LLP
What is DevSecOps?
A transformational shift which incorporates secure culture, practices, and tools to drive visibility,
collaboration, and agility of security into each phase of the DevOps pipeline

Governance People Process Technology

Break down silos between Orchestrate an integrated Automate recurring security

Establish security ‘guardrails’
security and DevOps teams and process flow and drive ‘in- line’ tasks and harden the
and monitor results
instill cyber awareness risk rationalized feedback development pipeline

• Redesign the operational & • Incorporate security staff in • Asset inventory and risk • Automate secure application
compliance framework DevOps teams awareness development

• Establish shared metrics to • Have security teams brief dev and • Integrated backlog and pipeline • Protect the toolchain and
evaluate progress ops teams on current threats / • Security telemetry and incident infrastructure
exploits/breaches response

Continuous improvement and added value

Improve security and quality Improve time to market Improve compliance feedback Improve productivity
• Increase deployment success rate • Increase production deployment • Reduction in open compliance • More story points per sprint
• Reduce meantime to resolve frequency findings • Increase pipeline velocity
incidents • Greater speed of deployment • Decrease time from audit request to • Controlled production access
• Reduce number of open security evidence delivery
defects
Copyright © 2018 Deloitte Development LLC. All rights reserved.
Copyright © 2018 Deloitte Development LLC. All rights reserved. 2
 From DevOps to DevSecOps

A set of practices that automates the processes between development and

What is DevOps?
operation teams to build, test, and release software quickly and reliably

Why security in DevOps? How can we bring security into DevOps?

• The ability to deploy applications has improved in both scale and • Tightly integrate security tools and processes throughout the DevOps
speed while security considerations are often overlooked in favor of pipeline
meeting business demands quickly
• Automate core security tasks by embedding security controls early on in
• Given the reliance of applications to keep operations running; security the software development lifecycle
in the development process cannot be an afterthought
• Continuous monitoring and remediation of security defects across the
• Application security must speed up to keep pace with operations application lifecycle including development and maintenance

Continuous security Increased efficiency & Enhanced compliance Increased collaboration

Key Benefits

DevSecOps implements the product quality In DevSecOps, security auditing, By integrating development,
‘secure by design’ principle by Security issues are monitoring, and notification security and operations,
using automated security detected and remediated systems are automated and DevSecOps fosters a culture of
review of code and automated during development phases continuously monitored, which openness and transparency
application security testing which increases the speed facilitates enhanced compliance from the earliest stages of
of delivery and enhances development
quality

Copyright © 2018 Deloitte Development LLC. All rights reserved. 3

Common myths and misconceptions
Perceived challenges and piece-meal integration often hinder organizations from realizing the value of
incorporating security into DevOps

DevSecOps is only “Security as Code”

or Automation DevSecOps is incompatible
with my compliance
requirements
Security team does not
require development
knowledge

DevSecOps requires developers

to be security experts

DevSecOps just means

code scanning

DevSecOps requires
significant tool investment
DevSecOps prevents
organizations from meeting their
business objectives

Copyright © 2018 Deloitte Development LLC. All rights reserved. 4

A DevSecOps program requires continuous improvement to achieve desired efficiency

Strategic Goals Architecture and Operations Program Evaluation

Strategy: Design: Monitor:
• Establish strategic drivers for DevOps • Design a DevSecOps operating model • Ensure processes are followed,
teams to meet changing business that includes designing data flows, maintained, reviewed and updated
requirements without excluding developing standards, and mapping regularly
security and compliance needs technologies and processes to core • Implement processes to perform
Cultural transformation: security operations lessons learned and evaluate policies
• Continuous enablement to initiate Execution: and enhance training
culture change to foster collaboration • Implement new tools and processes
between developers, security teams, to enable security in DevOps
and operations. environment

Continuous Process Improvement

The DevSecOps transformation is achieved through following pillars:

Governance People Process Technology

Staff against business priorities Orchestrate an integrated Automate recurring security

Establish security ‘guardrails’
and disseminate security process flow and drive ‘in- line’ tasks and harden the
and monitor results
know-how risk rationalized feedback development pipeline

Copyright © 2018 Deloitte Development LLC. All rights reserved. 5

 Drive scalable governance for DevSecOps
The approach to develop a sustainable governance model is through enabling security services that are
business aligned, agile, self-service and risk based

Governance

DevSecOps Roles and Establish Policies Enable Security Automated Audit Monitor Security
Responsibilities and Procedures Automation Evidence Collection Metrics for
Establishing well defined roles Introducing DevSecOps Automated security tools in the Security monitoring and notification Continuous
specific policies and DevSecOps pipeline improves
and responsibilities is
procedures will enable overall security by reducing
systems in DevSecOps creates an Feedback
imperative in the cross functional automated audit trail throughout
DevOps teams. It leads to efficient organizations to keep up with vulnerabilities and security flaws the software development lifecycle, Continuously monitoring
operations for a product the pace of application due to human error which facilitates compliance security metrics allows
development in a DevOps reporting DevOps teams to consistently
environment improve their security
decisions and stay on top of
the game

Copyright © 2018 Deloitte Development LLC. All rights reserved. 6

DevSecOps success criteria

Open collaboration • Set shared expectations and metrics for measuring success
to shared objectives • Align security architects and focus activities based on business priorities

• Create consumable, self-service security capabilities

Security at the source • Establish security ‘guardrails’ and monitor results/provide targeted
feedback

Reinforce and elevate • Orchestrate integrated process flow by automating recurring tasks
through automation • Embed preventative operational controls and audit trails

• Utilize operational insights and threat intelligence to drive process flow,

Risk-oriented operations prioritization and remediation recommendations
and actionable insights • Don’t just rely on scans; take risk-based approach to testing

• Integrate framework to secure both the pipeline and application

Holistic approach to
• End-to-end security implementation
security objectives
• Provide defense-in-depth with production environment

Proactive monitoring • Continuous testing to identify problems before they become issues
and recursive feedback • Leverage logging/telemetry to drive learning and innovation

Copyright © 2018 Deloitte Development LLC. All rights reserved. 7

This presentation contains general information only and Deloitte Risk and Financial Advisory is not, by means
of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional
advice or services. This presentation is not a substitute for such professional advice or services, nor should it
be used as a basis for any decision or action that may affect your business. Before making any decision or
taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte Risk and Financial Advisory shall not be responsible for any loss sustained by any person who relies
on this presentation.

As used in this document, “Deloitte Risk and Financial Advisory” means Deloitte & Touche LLP, which provides audit and risk advisory services; Deloitte
Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics
LLP, which provides a wide range of advisory and analytics services. These entities are separate subsidiaries of Deloitte LLP. Please see
www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and
regulations of public accounting.

Copyright © 2018 Deloitte Development LLC. All rights reserved.