Secure from the start: Why SecDevOps is the key to cybersecurity innovation?

How to integrate SecDevOps in your business strategy?

Cyber criminals take no prisoners. That’s why every company out there should ensure that cybersecurity is part of their operating model. According to our cybersecurity expert Luis Delabarre, SecDevOps, or the process of integrating secure development best practices and methodologies into the development and deployment processes, is the best way to do just that. Tune in to our podcast to learn about the growing importance of SecDevOps and its two distinct parts – security as a code and infrastructure as a code.

Transcript

Karl Culley:
Welcome to a Capgemini Cybersecurity Podcast focusing on SecDevOps. I’m delighted today to be joined by Capgemini cybersecurity expert Luis Delabarre.
This topic is known as SecDevOps. It’s the process of integrating secure development best practices and methodologies into the development and deployment processes, which DevOps makes possible. And so without further ado, let’s get into it.

Luis Delabarre:
Yes, of course. It’s a very important matter that large enterprises are trying to address now because, in the old world, I would say we have a kind of a development process for applications that was very controlled. You developed your own code, then you control, you test, you do some qualification, and at the end, if everything is okay, you deploy the new code, the new version. But it was taking a lot of time because of course a lot of parts were involved. Different processes were involved. And actually the new world is not, we’re walking that way. We want, or our customers want, to deploy codes as quickly as possible, just like real time, maybe a few modifications in the same day. So, you cannot have this old process to qualify, test, and verify that everything is okay with the application.

So, the overall idea of SecDevOps is to make sure that you embed or you integrate security in your development practice, so that’s quite important. And even more in the future with new technology like serverless containers, Function-as-a-Service, it will be even more critical because you have even less time between the coder and the deployment of the coding to cloud, for example.

Karl Culley:
I see, I see. So the coding has to be almost integrated into the actual backbone from the beginning. Would that be…

Luis Delabarre:
Yes. Yes, exactly. Exactly. We used to use a kind of term called CI/CD pipeline, as from the development to the deployment. So, the idea of SecDevOps is to make sure that your security posture, or countermeasures, or mechanisms are integrated as soon as, as early as, possible to make sure that we are not deploying application with vulnerabilities. That’s the whole idea of SecDevOps.

Karl Culley:
Okay, great. And could you talk about the distinct parts of SecDevOps, the first being security as code and the second infrastructure as code?

Luis Delabarre:
Yes. When we are talking about security as code, we’re talking about automation versus a manual process, as I said. To explain it, a very simple example. This is now required for some companies where the coder is using his own tooling, like IDE, to develop his program or his code directly in real time, you check the quality from a security standpoint again, the quality of the code. You are not waiting until the end of the process to check the quality of it and it’s fully automatic. There is no requirement of a specific team to check the code and so on. The coder, developer, is, I would say, responsible of his code even from a security standpoint. So automation versus manual processes. If we are talking about infrastructure as a code, it’s more or less the same idea. It’s automation involved with specific technology like [configuration management systems] Ansible, Chef, Puppet. And the area of this is to make sure that your infrastructure is automatically deployed.

So for example, if you go to Amazon or if you go to Azure or your cloud service provider, you want to provision a workload, a virtual machine or containers. When you select what type of workload you want to deploy, it could be a database, as I said, could be a virtual machine or whatever. When you validate the fact that you want to provision this workload, everything should be automatic. No manual process, no human will be integrated to create and run this workload.

So thanks to this specific technology I mentioned like Ansible, Chef, Puppet, you are able to automatically provision your workload in the cloud, for example, or in your infrastructure. You need to combine both. You should have your security as a code to make sure that your application that you want to provision in the cloud is secure. But you want also to make it automatic. You want to make sure that every time you need a new workload, you want a scalable application. Let’s say that you have a web server in the cloud, and because it’s Christmas time, there are more requests. You don’t want that a human will create a virtual machine… to answer to the requests, to be more performant. It should be automatic.

Karl Culley:
Yeah. Okay. Wonderful. Well, thank you so much for the overview of those things. This next question has the potential to be a huge tongue twister for me; I’m going to go for it. What is the difference between SecDevOps, DevSecOps, and DevOpsSec? I don’t think I could say that three times quickly.

Luis Delabarre:
Yeah. No, no, you’re right. And by the way, I’m sure that they’re in, when you go to different events like trade shows or whatever, or a presentation, I’m sure that you could find even in the same presentation, the three different words, so people are using them. I’m a true believer that SecDevOps is the right one, the right word to be used, because it makes the security aspect of the DevOps more important. Because if you say DevSecOps or DevOpsSec, you find that Sec is just after. It’s a lower priority. It’s not that important. And if you just mentioned SecDevOps, you will face the fact that security is very important. And it’s a prefix, so people read it first, before the Dev and the Ops.

Karl Culley:
Okay. So, can we finish up by talking about how SecDevOps can be implemented?

Luis Delabarre:
Usually in cybersecurity we talk a lot about operating models. That’s very important. And an operating model is a combination of three aspects. It is people, technology, and process. So in every aspect of the IT systems and of course including cybersecurity, when you want to implement a new solution, a new project, or you want to transform your IT, for example, you always have to address these three pillars or these three angles of your operating model: technology, process, and people organization.

So, to answer your question, SecDevOps is one of the motivations to improve your operating model, to have your IT more secure. So, thanks to SecDevOps, your tooling will be more secure, you will improve your process to bring more security into the IT, and of course you have some impact on your organization, developers’ education, training. You need to make sure that your coders and your developers are aware of this SecDevOps, I would say, approach or initiative.

So, as a summary, as a conclusion, I believe that the SecDevOps is one of the best initiatives or projects for a company, not an IT company but for every company, to make sure that cybersecurity is part of their operating model.

Karl Culley:
Yeah, excellent. And I suppose none more important among those implementation requirements is the organizational culture change from the top. Right? Complete buy-in, I suppose.

Luis Delabarre:
Yes. Yes, exactly. Exactly. Yeah.

Karl Culley:
Okay, so I think that brings us to the end of this podcast. Luis, thank you so much for your well-articulated and insightful views on the topics of SecDevOps. Thank you so much for joining us.

Luis Delabarre:
You’re more than welcome, Karl.

Karl Culley:
Thank you to our listeners and watch out for the next podcast. We’ll see you soon.