Main Conference (August 5th, 2022)

How to adopt DevSecOps successfully

Integrating security throughout the software development lifecycle is important, but it's not always easy. Adopting DevOps can help an organization transform and speed how its software is delivered, tested, and deployed to production. This is the well-known "DevOps promise" that has led to such a large surge in adoption. We've all heard about the many successful DevOps implementations that changed how an organization approaches software innovation, making it fast and secure through agile delivery to get ahead of competitors. This is where we see DevOps promises achieved and delivered.

But on the flipside, some DevOps adoptions cause more issues than benefits. This is the DevOps dilemma where DevOps fails to deliver on its promises. There are many factors involved in an unsuccessful DevOps implementation, and a major one is security. A poor security culture usually happens when security is left to the end of the DevOps adoption process. Applying existing security processes to DevOps can delay projects, cause frustrations within the team, and create financial impacts that can derail a project.

DevSecOps was designed to avoid this very situation. Its purpose is to build on the mindset that everyone is responsible for security… It also makes security a consideration at all levels of DevOps adoption.

Before DevOps and DevSecOps, the app security process looked something like the image below. Security came late in the software delivery process, after the software was accepted for production.

Depending on the organization's security profile and risk appetite, the application might even bypass security reviews and processes during acceptance. At that point, the security review becomes an audit exercise to avoid unnecessary project delays.

The DevSecOps manifesto says that the reason to integrate security into dev and ops at all levels is to implement security with less friction, foster innovation, and make sure security and data privacy are not left behind.

Therefore, DevSecOps encourages security practitioners to adapt and change their old, existing security processes and procedures. This may be sound easy, but changing processes, behavior, and culture is always difficult, especially in large environments.

The DevSecOps principle's basic requirement is to introduce a security culture and mindset across the entire application development and deployment process. This means old security practices must be replaced by more agile and flexible methods so that security can iterate and adapt to the fast-changing environment. According to the DevSecOps manifesto, security needs to operate like developers to make security and compliance available to be consumed as services.

Michael Calizo

Principal Customer Success Manager at Elastic

Mike Calizo is the Principal Customer Success Manager of Elastic.co focused on government customers and is based in Canberra, Australia.

Mike believes that "data is power" and harnessing this power can improve organizations to leverage their own insights to differentiate through innovation and drive efficiencies with cost optimization strategies. In this talk, he will focus on how organizations can implement DevSecOps practices using the power of Data.

Before joining Elastic, Mike works for Red Hat as a Principal Solution Architect where he focused on technologies like Kubernetes, Linux, and automation using ansible. A systems admin by heart with strong Solutions Architecture background, he helps implement some of the modern cloud-native applications both in NZ government and FSI customers.

He is also a very active member of the open-source community and has written multiple articles for Red Hat blogs and opensource.com about security, Kubernetes and automation. Mike is also the lead organizer of Ansible and OpenShift Meetups in New Zealand which are held several times a year.