Question: I am the security person in a company that writes a lot of its own applications. I am thinking we need to implement a DevSecOps program, but I’m not sure how to get started or how to present it to my upper management. Can you give me some advice?
Yaron Levi, CISO at Blue Cross Blue Shield of Kansas City: Start with the end in mind. When you consider the organization’s business, risk, culture, and capabilities, what do you believe a successful DevSecOps practice should look like? Try to think about the ideal situation, the good enough situation, and the minimum bar situation, then chart a path of how to get to each stage. Think about what you will need, including people, process and technology, as well as pros and cons for each stage.
For example, an ideal situation may be that every developer is fully proficient with secure development practices, threat modeling, risk assessments, etc. A good enough situation may be where you have at least one security champion (or advocate) on each team, and the minimum bar situation is where you have a centralized application security team that supports the entire organization.
This will allow you to present options to executive leadership so they can choose what makes the best business sense for them. Make sure to explain why this is needed in terms of business risks and benefits.
From a knowledge perspective, The Open Web Application Security Project (OWASP) has a lot of great information and resources to help you on your journey. Remember that, more than anything, DevSecOps is a cultural change for many organizations — hence your biggest investment will need to be in people.
What do you advise? Let us know in the Comments section, below.