DevSecOps Elite and Their Reference Architecture

Who are members of the DevSecOps elite, and what tools do they use? And, why should you care? 

The Sonatype community has a few insights. Two Sonatypers shared insights at DevOps World | Jenkins World this past August - highlighting the importance of understanding what others are saying, to assess your own processes. 

Sonatype’s Derek Weeks (@weekstweets) shared insight from the 2019 DevSecOps Community Survey. Close to 6,000 practitioners provided thoughts on staffing practices, educational priorities, automation choices, and process improvements that improve their cybersecurity preparedness. It also uncovered details of where automation fails, awareness falls short and breaches happen - and what makes an Elite DevSecOps practice.

In his presentation, 10 Attributes of the DevSecOps Elite, Derek highlighted the habits practiced by these Elite organization that others can then apply to -- or further mature within -- their own organizations. Here’s a brief look at five of the ten characteristics. Watch his presentation, below, to examine all of the attributes.

1. Embrace automation. Elite DevSecOps practices are 350% more likely to have fully integrated and automated security practices across the DevOps pipeline.
   
   
2. Favor container security, web application firewalls and software component analysis. 91% of elite DevOps practices emphasize security at the container/application level, 85% prioritize additional resources at the web application firewall level, and 84% emphasize governance of open source components used in development.
   
   
3. Utilize more third-party tools to augment cloud service security. Elite DevSecOps practices are almost twice as likely to augment the security features delivered by their cloud providers with third-party cloud security tools, as compared to non-DevOps projects.
   
   
4. Get faster feedback. Automation within developer tooling allows elite teams to address infosec and app security issues faster. 63% of elite practices are notified through their tools.
   
   
5. Follow open source governance policies. Elite teams are 62% more likely to follow established policies compared to 25% of teams without DevOps practices follow policy.

Mapping Elite Reference Architecture

Similarly, reference architecture decisions separates elite DevSecOps practitioners from those with less competitive output.

Sonatype’s DJ Schleen (@djschleen) gave a presentation, Diving into a DevSecOps Reference Architecture, which looked at how tooling decisions are reflected in DevSecOps practices. His interactive reference architecture tool is available for free here. (Watch for the monkeys -- they indicate areas with the potential for chaos!)

Among the observations:

1. Tooling needs flow - All tools should support existing workflow. Forcing flow doesn’t work; tools are likely to be skipped or ignored if they don’t fit into existing processes and/or shared goals.
   
   
2. Self-patching and repair are part of the process - Course correction should be expected. Some tooling across the pipeline will be updated or removed based on a project’s evolution.
   
   
3. Pipelines aren’t cut-and-paste - Every organization, and every project, are unique. Use these reference architectures as inspiration. Start with a successful reference architecture and build the one that fits your project and people.

Watch DJ’s presentation below.

We look forward to continuing the conversation about what different evolutions of DevSecOps program means for different orginizations with fellow developers and other DevSecOps advocates. Get involved with our community.