As the industry is embracing DevOps and security is becoming even more important, how these two should be combined is still something that is being explored and is often referred to as DevSecOps. TurtleSec’s approach to DevSecOps is to automate as much as possible and integrate it into the existing pipeline. This is naturally a very custom process, and we believe it should be implemented by the teams themselves in their normal development workflow.
Mini Workshops and Threat Modeling
Having security as a gatekeeping activity is just another silo and doesn’t scale when push-to-prod is measured in minutes or seconds. TurtleSec will help companies on this path by arranging a series of mini workshops (3 hours each) for the teams involved.
The goal for the first workshop is to establish what threat modeling is and try to do some high level threat modeling for the system. The main goal for this workshop is to get an overview and to chose the first vulnerability to mitigate. This will then be the topic for the next workshop.
The next few workshops will follow a three part structure, first we will review what was done since the last workshop, then go through the topic of the workshop (most likely a type of vulnerability) and the last part is to start planning the work to mitigate the vulnerability.
Integrate into the workflow
The idea is that the team will create normal work-tasks for the work to mitigate the vulnerability, for example put it in Jira, prioritize it, plan it for the next sprint etc. We will discuss possible ways to mitigate it, and the goal is to put in automated mitigations into the existing pipeline, the production environment or the development environment. Examples of this could be configuration changes, monitoring, IDE plugins, scanning tools etc.
Over the course of workshops we will continue to work on threat modeling and try to have that guide us in choosing what to mitigate. As the system threat model becomes more familiar we will begin to figure out how to think about threat modeling when introducing new features.
Goals of the coaching processes
The over all goals of this coaching is to make the system more secure by introducing mitigations, but also to make this type of work second nature to the team and have it be naturally integrated in their day-to-day activities.
A natural extension to this would be to have a TurtleSec consultant work on the teams in question for longer or shorter periods to help them with this work. The DevSecOps coaching does, however, not necessitate this. The coaching is meant to be a guided one, where the teams follow a custom semi-structured path to find out how DevSecOps can be woven into their existing system and processes.
Please reach out if this is something you’d like to hear more about.