People in the DevSecOps Process

As it was stated in the DevSecOps Introduction article, DevSecOps is a combination of technology, processes, and people. A well thought-out, competent roles definition and staffing is one of the most important success factors when building a DevSecOps organization.

Executive Leadership

Historically, security initiatives that achieve company-wide impact are sponsored by a senior executive who creates Security Teams, also known as a Software Security Group (SSG), and who garners resources and provides political support.

 

A key success factor for any software security initiative is to establish, grow and maintain a strong security culture through technical excellence and expertise among software engineers in software delivery teams. This approach is driven by an AppSec Evangelist and supported by local Security Champions covered by Executive sponsorship. Responsibility for secure software development is assigned to development teams and mutually acknowledged.

Software Security Group

A software security initiative is an organization-wide program to instill, measure, manage, and evolve software security activities in a coordinated fashion. The first step of a software security initiative is to form an SSG. According to the Building Security in Maturity Model, or BSIMM (see detailssee details: Sammy Migues, John Steven, and Mike Ware, “BSIMM 11”), SSG is the internal group charged with running the software security initiative. SSG might be entirely a corporate team, entirely an engineering team, or an appropriate hybrid. The team’s name might also have an appropriate organizational focus, such as “application security group” or “product security group.”

 

While setting up the software security practices and ramping up the software security initiative, the main tasks for SSG are:

Building application security excellence within context of particular software development assets (product / application / digital service)

Growing technology expertise around a specific technology stack

Implementing a DevSecOps factory and the general adoption of software engineering process in context of software security

Building DevSecOps expertise within software delivery team

Ensuring knowledge management across delivery teams

 

While running software security practices the main tasks for SSG are:

Fine-tuning of the DevSecOps technology stack

Enforcing continuous practices execution

Providing expert support of Security Champions in Delivery Teams

AppSec Evangelist

An AppSec Evangelist is a technical, ideological and methodological expert in application security who works with all stakeholders including management, clients, SSG, and development teams. An AppSec Evangelist is a key driver of the entire AppSec Initiative and should be able to cover strategy, processes and DevSecOps-related questions. A person in the AppSec Evangelist role must be passionate about AppSec, have good leadership skills, and be a good presenter.

Security Champions

Security champions are conductors of secure software engineering culture and are responsible for application security within development teams. Security champions are not part of SSG, but they form a satellite community.

Management

A senior executive has to be identified to manage operations, garner resources, and provide political cover for the software security initiative. Grassroots approaches to software security led solely by developers/development managers have a poor track record in the real world. Identifying a senior executive and putting him or her in charge of software security directly addresses the management concerns of accountability and empowerment. Thus, a place is created in the organization where software security can take root and begin to thrive.

 

A reorganization may be necessary to align personnel for a DevSecOps practice. In general, SSG could be managed under any of three pillars: Chief Information Officer (CIO), Chief Technology Officer (CTO) or Chief Information Security Officer (CISO). It should be noted that in each specific company the organizational structure formally may include from one to all three of these pillars. Their managers can also be called differently and can be subordinate to each other.

Awareness & Trainings

Continuous education practice is essential for software engineering organizations which strive to achieve a higher maturity level and to minimize introduction of security vulnerabilities in their applications and services. Security education, which consists of awareness programs and training, is a logical part of the SDLC. The goal of awareness programs is to raise the collective awareness of the importance of security and security controls. The goal of training is to facilitate a more in-depth level of user understanding (see detailssee details: Chelsea Russell, SANS Institute, “Security Awareness—Implementing an Effective Strategy”).

 

Key principles of an awareness program include:

  • Profiling for different job roles (Software Engineers, QA Engineers, Architects and Analysts, Delivery Managers, Product Managers)
  • Run role-based, interactive portal as a single-entry point
  • Effectiveness evaluation based on historical software engineering data
  • 100% agility—possibility to adjust content of the program

 

Training courses are designed to enable engineering teams to build more secure code. Delivered by practicing experts with years of multi-platform development experience, a training program provides a working knowledge of threats and corresponding countermeasures using a mixture of security concepts and hands-on development training.

 

Training courses are tailored according to results of discovery in software engineering processes and types of vulnerabilities found in applications to effectively address specific needs of the engineering organization.

 

A key to success in embedding security into the software development process is to increase the level of knowledge on software security topics and to share expertise among engineering teams.