Five keys to an effective DevSecOps framework

Cross-functional collaboration and automated controls integration are vital

Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011

James Williams

James Williams

Director, Advisory, KPMG US

+1 214-840-4822

Lavin Chainani

Lavin Chainani

Director Advisory, Technology Risk Management, KPMG US

+1 410-949-8834

Reducing risk across the software development lifecycle (SDLC) today may not always be top of mind across many software organizations. That is until a threat occurs. But at that time, it might already be too late to mitigate the devastating effects of such an attack.

How can organizations proactively combat these types of threats before they arise?

One way to prevent these types of threats from arising is by developing a DevSecOps framework, one that is collaborative and multidisciplinary, that can act as the standard operating procedure for facilitating rapid, compliant, and safe service delivery.

But what’s required end-to-end across an organization to do create such a framework, while simultaneously managing conflicting priorities?

Ask a CIO, CRO, or CISO what it means to carry out DevSecOps effectively and the typical answer is “We have a plan for that.” They likely do, but in many cases, each has different priorities and perspectives. Unfortunately, there’s no single sheet of music from which all three are reading. As a result, too often there is no harmony, no agreement as to how these constituencies can most effectively work together.

A well-designed DevOps framework is predicated on increasing delivery speed and customer value through an automated SDLC. Many companies are adopting this approach in an effort to establish themselves as leaders in a steadily digitizing economy. This initiative is a critical priority for many organizations and requires broad leadership support.

With vulnerability concerns growing, companies need to embed security into the SDLC holistically so development teams can work quickly and safely at scale. The challenge for highly regulated and non-regulated organizations alike is working safely and securely without interrupting innovation and creativity. Companies for which this is not a priority are likely to experience ongoing release delays, application instability, and high levels of cyber risk.

Companies need to align all relevant areas—IT, risk, information security, technology, data, and privacy—to formulate a cohesive, end-to-end vision. Today, data breaches, software failures/outages, and cyber-attacks are often revealed on social media before most legacy monitoring platforms pick them up, making availability and reliability more important than ever. The true financial and reputational cost of recovering from a negative event is elusive, yet massive.

We believe companies should take a holistic view of DevSecOps, prioritizing speed and agility while simultaneously implementing a comprehensive governance framework characterized by a suite of relevant controls, security scanning, and automated testing. Through this approach, organizations align development, security, and risk/operations to create an optimized software delivery architecture that identifies key roles, processes, and technologies. Embedding security and governance tooling directly into the development and delivery pipelines— shifting left—negates the possibility of developers circumventing these controls.

Our paper covers five key imperatives when transitioning from DevOps to DevSecOps including:

  • Removing barriers from the development team’s path
  • Giving information security, governance, and compliance seats at the table from the outset
  • Empowering operations to better support what developers build
  • Visualizing value across the pipeline by focusing on value streams
  • Making finance a prominent partner with a dynamic funding model

A fully integrated DevSecOps structure is intended to increase value from development and delivery perspectives quickly while mitigating the ever-increasing vulnerabilities and cyber risks that exist in the marketplace today. Our DevOps professionals are ready to help you embed security and governance as key components of your SDLC framework while maintaining development speed and agility.