Best Practices of the DevSecOps Elite: A Slack Takeover with DJ Schleen
DJ Schleen took over the TechWell Hub for a day to discuss all things DevSecOps.
Schleen is a seasoned DevSecOps advocate at Sonatype, as well as an international speaker, instructor, and author. He encourages organizations to deeply integrate a culture of security and trust into their DevOps practices, core values, and product development journey.
Challenges to Adopting Security Practices in DevOps
“What do you see as the biggest challenges to adopting security practices into DevOps?” —@Tom Stiehm
“There are a ton of challenges to gain successful adoption,” Schleen said. “It depends on which team is trying to implement the practice.”
He said challenges vary based on whether it’s the development team or the security team driving adoption, and on the size of your company.
“The biggest challenge is to ensure everyone is comfortable with change and can communicate with candor,” he said. “Once the culture is there (or growing), the challenge is to find the best place in an automated pipeline to put security controls without sacrificing the speed of delivery and deployment.”
Getting Management to Buy Into DevSecOps
“One problem I have had in terms of implementing security into DevOps is getting management to buy in. What are some ways that you were able to get managers/leaders on board with making security a bigger priority when it comes to DevOps?” —@David
“That always seems like the hardest thing to do, right? I’ve been told in the past that security wasn’t a priority,” Schleen said.
However, great leaders usually have their employees’ best interests in mind, give time and productive feedback, establish goals for their direct reports and let them run until tackled, and deliver the goals of the business.
Schleen said reasonable leaders will listen and consider the ideas and concerns of their team, and then take those ideas and seek alignment with business goals, assess risk, and come to a conclusion.
Where to Focus Attention for Open Source and Containers
“As someone relatively new starting out in the security field and being the individual tasked with managing vulnerability and patching exceptions for both OSS and Containers where would you focus your attention?” —@David Croughwell
Schleen said that with open source software, you want to do three things:
- Proxy incoming components so you know what is coming in the door from any third-party repository
- Integrate OSS tooling into the pipeline upon check-in of code. Have it scan for vulnerable component versions, and if it finds one with a binary compatible non-vulnerable version, then automatically create a pull request for the developer to merge. Don’t fail, don’t send it back, and don’t create an external work item; deal with it where developers have the least amount of friction
- Create policies for restrictive licenses. Schleen said he prefers to only use MIT licenses. Using the wrong one can create unnecessary trademark risk or instantly require you to make your proprietary software open source