,
25 tweets,
9 min read
Read on Twitter
Jihai Zhou is going to tell us about implementing DevSecOps in large banks. #DevOpsDays
In Jihai’s experience in London, a strong concept of DevOps has developed over the last 3-4 years. He just moved to HSBC’s Technology China office and finds the awareness of DevOps is less developed there (so far!). #DevOpsDays
Now he’s started to introduce DevSecOps there too. 💪 DevOps means better, faster cooperation between teams to deliver software... but rapid development conflicts with security. So let’s remove the barrier with security too! #DevOpsDays
DevSecOps was originally called DevOpsSec (Gartner, 2012). The idea behind the name change is to ‘left-shift’ the security mindset to the dev team, before release of software. #DevOpsDays
This can make the process faster, reducing the security bottleneck at the end of the software development cycle. Building automated tools for devs to integrate security into their work can also improve outcomes. #devopsdays
There are technical and cultural challenges in DevSecOps—but the cultural ones are most important. Devs might not think security is their job, and if they do, they might not have the knowledge to take charge of fixing issues. #DevOpsDays 
Jihai has spent a lot of time selling Dev(Sec)Ops to teams. He says the most important people to convince are not developers but management. #DevOpsDays
Best practices for cultural DevSecOps change: first, ongoing training. Teach devs to think from the attacker’s perspective, with practical exercises; ensure standards are implemented correctly and knowledge is spread efficiently. #DevOpsDays
You need a Security Champion to coordinate and track security issues to the security advisor, and you need buy-in from management. Explain what vulnerabilities mean in biz terms.
You can run exercises between teams to practise security processes. There was a contest between HSBC’s Indian and Chinese teams just this week! Jihai wanted to include a photo of the winners but he wasn’t allowed to. :( #devopsdays
Technical and process best practices: mostly automation! Nothing will work consistently if you don’t automate it. Publish security monitoring on dashboards so that feedback loops are short and you (and managers) can’t ignore it. #devopsdays
There are three stages in Jihai’s model of adopting DevSecOps:
1) Integrate cyber security tools
2) Set up training
3) Establish a cyber security mindset: dedicate resources to it, make sure there’s an expert in every team
#DevOpsDays
1) Integrate cyber security tools
2) Set up training
3) Establish a cyber security mindset: dedicate resources to it, make sure there’s an expert in every team
#DevOpsDays
After three months, Jihai reckons the dev teams in the trial have built up enough knowledge to fix the security issues they discover in their work. 💪 There are 1500 devs in the Guangzhou office: he’s rolling it out to all of them in the next six months. #DevOpsDays
Jihai recommends Checkmarx as a DevSecOps tool for vulnerability scanning and reporting. It has a Jenkins plugin so you can integrate it easily into your CI/CD. Very nice dashboard for displaying issues. #DevOpsDays
Another option is Sonatype Neuxs IQ Server. It’s FOSS and also integrates into CI/CD. :) #devopsdays
But... don’t forget the tools are just the beginning. Only people can *fix* the issues they find!
- I use Jira, I’m agile!
- I use Jenkins, I’m a DevOps!
- I use Checkmarx, I’m a DevSecOps!
🤨 You need to use the tools to improve, or it’s pointless.
#DevOpsDays
- I use Jira, I’m agile!
- I use Jenkins, I’m a DevOps!
- I use Checkmarx, I’m a DevSecOps!
🤨 You need to use the tools to improve, or it’s pointless.
#DevOpsDays
For ongoing training, the tools often have embedded study materials. :) Click on the ❓ in the dashboard and see how to fix your actual issue: limited but practical help. #devopsdays
The best overall training materials Jihai’s found are at securecodewarrior.com/training (looks like fun from the screenshots!) #DevSecOps
Q: first question to the organisers: when do we rename DevOpsDays to DevSecOpsDays?
@matemaz: well, DevOps should include DevSecOps... or we could just rename it. :)
#devopsdays #devsecopsdays?
@matemaz: well, DevOps should include DevSecOps... or we could just rename it. :)
#devopsdays #devsecopsdays?
Q: how to convince management of the value of DevSecOps?
A: you really need to go from the top. Try to find any senior management people you can, or business level, and *talk* to them about it. (Cont)
A: you really need to go from the top. Try to find any senior management people you can, or business level, and *talk* to them about it. (Cont)
(Cont) One colleague convinced the compliance dept to get into DevOps by telling the manager, “You lose 4 million dollars a year not doing this!” Not sure how he quantified it, but that helped. That and talking to the right person. #devopsdays
Q: how is your CI/CD platform secured? A: it’s completely internal infrastructure.
Another way to get business invested in DevSecOps: set up cross-funtional teams (‘pods’) with devs and business people working together. #devopsdays
For the legacy teams/projects, Jihai focuses on helping them build up knowledge, but for new teams, they start from a DecSecOps mindset right away. #devopsdays
@threadreaderapp Please unroll, thank you!
