Published June 2, 2020
WRITTEN BY MICHAEL SOLOMON
Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
Over the last few months, the whole world has fundamentally changed due to the emergence of a novel coronavirus, COVID-19. The highly infectious nature of the virus, its devastating impact on vulnerable individuals who catch it, and the lack of a vaccine have allowed COVID-19 to become a global pandemic. Institutions of all types have been closed and life as we know it has been fundamentally changed. Officials argue about the “right” way to emerge from this self-imposed shutdown, but all agree that our world is different now.
DevSecOps is one tiny part of the global economy, but it can benefit from the lessons this crisis can teach us. At its core, a DevSecOps philosophy exists to prevent a major disruption like COVID-19 from threatening an organization’s survival. That is not to say the DevSecOps could prevent a real-world virus, but how we approach an emergency should shape the way our DevSecOps teams approach their charters.
We can all learn a great deal by looking at the COVID-19 crisis and examining how we can do things better next time.
The element of surprise
Don’t underestimate the humanness of any team. Group dynamics affect every team’s performance and its ability to function effectively, and DevSecOps is no different. In fact, the degree to which a DevSecOps team adds value to its organization depends on its ability to function productively. Contentious competition rarely results in positive team outcomes.
The fact is that we — as a community, a nation, and a global population — were not ready for COVID-19. There were a few qualified individuals who warned of such a pandemic for many years, but their warnings didn’t gain much traction. Traditional risk management had placed a pandemic like COVID-19 too low on the priority list to warrant a sufficient preparation budget. We flat out missed it.
Hindsight is 20/20, and it is so easy to criticize others in retrospect. That isn’t the purpose here, and analysis for criticism is not very productive. Critical analysis, on the other hand, can be very productive. Those are very different approaches. Critical analysis of how we prepared for and managed the COVID-19 pandemic can provide DevSecOps teams with valuable insight into how to handle crises.
This novel virus took everyone by surprise. We had not properly recognized the threat, we had not invested in preparing for such a threat to be realized, and we failed to understand the gravity of the problem in its early stages. Analysts depended on limited and incomplete data to fuel models that were speculative and dynamic. Traditional data and models built for other similar outbreaks weren’t able to provide the granular results necessary to take decisive action. Authorities at all levels took good-faith action based on their interpretation of the latest models, but interpretations differed, and the resulting actions weren’t coordinated in many cases.
The DevSecOps takeaway is that our teams exist primarily to avoid competing for jurisdictional mandates. Cohesiveness is more than a happy feeling; it provides the ability to react uniformly to a crisis. The focus of an effective DevSecOps team should be to invest extensively in risk assessment, including exhaustive threat modeling, to understand its organization’s attack surface.
Preparation is expensive, but being surprised costs a lot more.
Unplanned change isn’t easy
The Project Management Institute’s (PMI) Project Management Body of Knowledge (PMBOK) Guide defines 49 distinct processes in managing projects. Although a DevSecOps team is an ongoing entity and not technically a project structure, the PMBOK’s process descriptions still apply. The PMBOK Guide explains that “Develop Team” and “Manage Team” are separate processes. That’s because teams change, and failing to manage that change can cause friction and a loss of effectiveness.
The common perception of teamwork is that the team dynamic stays constant throughout the team lifecycle. But in real life, teams progress through stages in a normal cycle. Studies in the field of group dynamics show how understanding and managing teams through normal changes can reduce friction and increase a team’s productivity. Even without a deep understanding of group dynamics, stability allowed many teams, including DevSecOps teams, to operate effectively enough to get the job done.
COVID-19 threw a wrench in the works. Teams that depended on the status quo have been forced into a new reality. Everyone expected norms to continue, but when a major disruption came along, we were all forced to adapt to change.
Change isn’t easy or comfortable. Some handle it better than others, but changes that invalidate comfortable norms can threaten any team.
We’re all getting used to working from home, participating in virtual meetings, and trying to figure out what “business-casual” attire now means. Interaction — and interpreting coworkers’ feelings about the matter at hand based on interactions — is more difficult, but there are positives every team can embrace. Just like in the COVID-19 pandemic, discussions should soberly address not only the current situation but also look ahead.
Many ongoing conversations focus on what’s next. While those conversations can be difficult and agreement may seem elusive, the direction of such questions are positive. Each phase of crisis response is temporary, and that focus should be a frequent reminder to avoid getting bogged down at any point in the process.
Maturing means finding community solutions
The last main takeaway from COVID-19 is how we can learn from this crisis to help our teams to mature. Maturity is rarely something the immature desire. But maturing is a process that provides enduring, positive, and sustaining results.
A mature DevSecOps team will be better prepared to handle future challenges with minimal disruption. That’s the whole point of combining functions and personnel from multiple organizational areas. The question is: How do we get there?
First and foremost, political sniping doesn’t help. I’d love to have the authority to enforce this one. Every person is entitled to their own opinions and should be encouraged to respectfully share them, even with people who hold opposing views. The problem is that differences of opinion have become a barrier to constructive decision-making, as opposed to an integral component of making mature decisions. Conflict and differences should enhance conversations, not stifle them. In your own DevSecOps teams, explore methods to encourage diversity of opinions and viewpoints. You’ll often find that a minority perspective may be the one with the most insight.
Regardless of how you encourage vigorous debate, focus on overall team coordination. If linear processes with structured handoffs worked, there wouldn’t be a need for DevSecOps. At the risk of preaching to the choir, remember why the DevSecSops approach was developed in the first place. In the “old days,” development finished its work and pitched code over the wall to operations. The responsibility for quality was split between the two entities. Then, when security concerns began to arise, another entity got involved in the process. With no clear responsibility boundaries, the idea of all three groups working together was introduced. Interdisciplinary coordination is the heart of DevSecOps teams. No single specialist can solve the growing complexity of enterprise applications and infrastructure issues.
Technology support makes team success possible. We’ve seen many new and existing technologies applied in the COVID-19 response space. There are new implementations of temperature sensors in handheld, camera-based, and even drone platforms. Proximity and trajectory tracking research are being applied to contact-tracing apps to document the virus’ spread and help determine infection origination points. Although the use of technology triggers valid privacy concerns, the technology itself provides tremendous value for addressing the problems. Data, automation and autonomous sensing allow humans to focus on high-value activities.
Your teams can benefit from technology as well. Approach your DevSecOps team’s “new normal” by exploring how technology can help. Collaboration software, including team management and workflow applications, can help continue teamwork in a distributed environment. Ubiquitous communication devices are essentially a given but don’t fall into the trap of relying solely on that smartphone. Always build in contingencies for ensuring communication. If your team can’t stay in touch, they can’t function.
The most challenging situations can provide the richest lessons. In your DevSecOps teams, focus on long-term well-being, as opposed to short-term recovery only. Risk management should be a blended approach. Avoiding risk is only one option.
Look at the COVID-19 pandemic and how we are reacting to it with a critical eye and an inquisitive perspective. The situation we find ourselves in provides a valuable opportunity to pause and consider how we can apply these lessons to our own lives.
To talk more about DevSecOps, or anything else security related, please contact us. Kiuwan leverages SAST and SCA analysis so developers operating in the Software Development Life Cycle (SDLC) can shield their applications from security risks using a scalable and lightning fast platform that seamlessly integrates within any DevOps environment.