Improving Your Security Posture on the Containerization Journey

by David Widen | Tuesday, Jan 12, 2021 | DevSecOps GitLab

Building a security-focused culture

A DevOps transformation is a massive organizational change with implications for everything about how team members communicate and collaborate. It can also be an opportunity for organizations to integrate security into their applications’ lifecycles at every stage and move security teams from being a roadblock to being a strategic development partner. Here’s how organizations can use the DevOps transformation to improve their approach to security.

Adjust incentives

People will focus on the things that they are incentivized to care about and are evaluated on. If developers in your organization never get feedback, good or bad, about how secure their applications are, it only makes sense that they won’t actively look for ways to increase security.

This is not to say developers don’t care about security: That is a negative stereotype some security professionals have about developers, but it doesn’t reflect reality. Most developers don’t wake up in the morning thinking they’re going to ship code that will cause a breach or intentionally leave customers’ personal information in a public S3 bucket. When no one even notices how well the developer is managing security, he or she won’t focus on it and might not even know what could be done to improve.

If you want to create a security-focused culture, everyone involved with the application lifecycle, from the developers to the ops teams, should have some security-related metrics included in their evaluations as well as ways to evaluate how their work strengthens (or weakens) the organization’s overall security posture and how to improve their performance on security metrics.

Get past stereotypes

Culturally speaking, negative stereotypes about other teams and other specialties are poisonous and can prevent organizations from building the collaborative, cross-functional teams that they need to succeed with DevOps and containers and to do so in a security-focused way. We’ve gone into meetings in which we’ve been told, “Don’t talk to the networking guys, they’ll mess everything up.”

People who dislike each other aren’t likely to collaborate, and success with containers in general — and particularly with building highly secure containerized applications — requires collaboration between different specialties. Helping teams and individuals get past negative stereotypes about what all ‘developers’ or all ‘security pros’ are like is a big organizational shift, but it is more important than any tool you’ll buy.

Encourage collaboration

It’s not enough for diverse teams to stop disliking each other — they also have to collaborate. The more teams are made up of individuals with diverse skill sets that can handle the entirety of the application lifecycle, from networking to setting up storage to managing security to responding to incidents in production, the faster the organization will be able to deliver new applications.

When team members are able to collaborate at all stages of the application lifecycle, potential problems are discovered sooner and resolved sooner. Instead of finished applications getting a security review before deployment, the security review happens continuously during development and never has to be sent back to the development team with a checklist of things to change. The end result is that applications get out the door sooner and are more secure.

Migrating to containers already involves a major cultural shift. Organizations can leverage the changes they already need to make to succeed with DevOps and containers to build security into the entire application lifecycle and embrace a DevSecOps approach to software development. We wrote a white paper that goes into more detail about how building a security-focused organizational culture is critical to creating secure containerized applications over the long term. You can read the whole white paper here.

To learn more, download the white paper.