6 Key Kubernetes DevSecOps Principles: People, Processes, Technology - Part 2
August 08, 2022
Bridgecrew

Building a DevSecOps strategy requires not only the right tooling but also the right culture. In Part 2 of this blog, we'll continue to introduce you to several principles to keep in mind when developing a Kubernetes infrastructure strategy or improving an existing one.

Start with: 6 Key Kubernetes DevSecOps Principles: People, Processes, Technology - Part 1

Key Kubernetes DevSecOps Culture Principles

Technology is core to implementing a Kubernetes-based DevSecOps strategy, but without the right people, processes, culture, and even KPIs, it can actually create friction and bottlenecks that it's trying to avoid. Aligning development, security, and operations teams, however, is not an easy feat, as these teams' goals are often at odds with one another. Engineers want to work on high-impact projects. Security wants to avoid incidents at all costs, which often slows down other teams. Operations exist to deploy features and improvements as fast as possible.

Breaking those silos and fostering collaboration in the name of shared security responsibility is key to success. Here are some considerations to consider to build a DevSecOps culture:

People

Since DevSecOps demands breaking down silos between teams, people are the foundation. Security training and fostering security champions has been touted as the go-to solution for making security matter, but you can't stop there. DevSecOps is a two-way street that requires bi-directional knowledge sharing in order to build true shared accountability for security. For cloud-native applications wherein technologies and software supply chains are constantly growing and changing, this is especially vital.

Whether you already have the right building blocks or are looking to add to your existing product and IT teams, these are some of the skills you need on your DevSecOps team:

A knack for efficiency: Regardless of department, efficiency and automation are key to DevSecOps success. When manual work inevitably crops up, teammates with productivity mindsets will invest the time to make that repeatable in the future despite the temptation to just complete the task at hand.

Balance individual focus and greater goals: DevOps aims to break down the development process into smaller components and processes, isolating individual outcomes at each phase. DevSecOps requires striking the right balance between security and efficiency. To do that in practice, priorities need to be set, recognized, and constantly evaluated from the organization level to the individual contributors.

Continuous learning: Although Kubernetes has been around for a while now, it's valuable for everyone to be constantly learning new things when it comes to building the most performant and innovative products. The same goes for security. Staying on top of the latest vulnerabilities and policies is essential to keep your applications secure. Having natural curiosity is ideal, but with consistent processes for training and education, you can achieve the same outcome.

Building your team based on formal titles isn't necessary for building the right culture; looking for individuals with these qualities will ensure that security becomes a mindset rather than a barrier.

Processes

The DevSecOps paradigm necessitates new processes or perhaps improvements to existing ones that prioritize security at each step.

Development: As code is being written and updated, encourage individual contributors to incorporate security feedback via IDE extensions or CLI tools. By surfacing security best practices earlier, developers are able to address issues with the right context and quickly to prevent issues from progressing further. This is also a great way to foster continuous security education.

Build and deploy: As you add checks to your CI/CD pipelines, ensure that all teams are aware of blocking criteria so that friction doesn't arise when a build fails, or a deployment is blocked due to a critical misconfiguration or vulnerability. When issues do arise, make sure you have individuals responsible and on-call to help things keep running smoothly.

Runtime: Even with the most mature proactive security guardrails in place, the work doesn't stop at deployment. Having the right visibility and developing processes for when security issues are exposed in runtime is a big part of embracing DevSecOps.

Feedback and Planning: Here, it's important for all stakeholders to understand the security impact new features and updates may have. Security training and awareness are also crucial at this phase, as work done in this phase will determine the security coverage throughout the rest of the development lifecycle.

Setting the right processes in place ensures that everyone is on the same page and sets the foundation for security consistency and cohesiveness.

Key performance indicators (KPIs)

One way to integrate DevSecOps into teams' day-to-day is to hold each accountable via shared KPIs. Metrics should take into consideration not only how secure applications are but also how quickly deployments occur and how reliable applications are. Here are some sample KPIs that touch all development, operations, and security teams:

Volume of production issues over time and by severity: Ideally, the number of misconfigurations in runtime should go down over time if issues are addressed earlier. By having end-to-end visibility, it should also be easier to prioritize higher severity issues, leading to fewer alerts and hardening infrastructure over time.

Mean time to remediation (MTTR): Related, as the volume of issues goes down over time, identified vulnerabilities and misconfigurations should be resolved faster over time. A shorter MTTR also indicates a stronger CI/CD pipeline and institutional knowledge when it comes to infrastructure being deployed and its security expectations.

Deployment speed and frequency: As you bake security measures into your DevOps lifecycle, be sure to monitor how frequently and quickly you're deploying. At the end of the day, security checks are only valuable if you're able to deliver updates, so striking the right balance by tweaking levels of control is key.

Because Kubernetes is such a dynamic and complex system, it's even more crucial to implement a solid set of KPIs to help you assess your organization's success internally and externally. DevSecOps is getting more popular as a means to avoid costly (both in resources and reputation) breaches. Bringing the right technologies, people, and processes together to establish baselines and measure success over time are all necessary for any mature Kubernetes-based DevSecOps strategy.

Share this

Industry News

September 29, 2022

CloudBees announced the acquisition of ReleaseIQ to expand the company’s DevSecOps capabilities, empowering customers with a low-code, end-to-end release orchestration and visibility solution.

September 29, 2022

SmartBear continues expanding its commitment to the Atlassian Marketplace, adding Bugsnag for Jira and SwaggerHub Integration for Confluence.

Bugsnag developers monitoring application stability and documenting in Jira no longer need to interrupt their workflow to access the app. Developers working in SwaggerHub can use the macro to push API definitions and changes directly to other teams and business stakeholders that work within Confluence. By increasing the presence of SmartBear tools on the Atlassian Marketplace, the company continues meeting developers where they are.

September 29, 2022

Ox Security exited stealth today with $34M in funding led by Evolution Equity Partners, Team8, and M12, Microsoft's venture fund, with participation from Rain Capital.

September 29, 2022

cnvrg.io announced that the new Intel Developer Cloud is now available via the cnvrg.io Metacloud platform, providing a fully integrated software and hardware solution.

September 28, 2022

Kong introduced a number of new performance, security and extensibility features across its entire product portfolio, including major new releases of Kong Gateway, Kong Konnect, Kong Mesh, Kong Insomnia and Kong Ingress Controller, as well as new projects from the Kong Incubator.

September 28, 2022

BroadPeak Partners announced the availability of the new K3 API Connector.

September 28, 2022

Aqua Security announced a new end-to-end software supply chain security solution.

September 27, 2022

DevOps Institute will host SKILup Festival in Singapore on November 15, 2022.

September 27, 2022

Delinea announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams.

September 27, 2022

The Apptainer community announced version 1.1.0 of the popular container system for secure, high-performance computing (HPC). Improvements in the new version provide a smaller attack surface for production deployments while offering features that improve and simplify the user experience.

September 26, 2022

Secure Code Warrior unveiled Coding Labs, a new mechanism that allows developers to more easily move from learning to applying secure coding knowledge, leading to fewer vulnerabilities in code.

September 26, 2022

ActiveState announced the availability of the ActiveState Artifact Repository.

September 26, 2022

Split Software announced the availability of its Feature Data Platform in the Microsoft Azure Marketplace.

September 22, 2022

Katalon announced the launch of the Katalon Platform, a modern and comprehensive software quality management platform that enables teams of any size to easily and efficiently test, launch, and optimize apps, products, and software.

September 22, 2022

StackHawk announced its Deeper API Security Test Coverage release.