What it takes to succeed in DevSecOps

Providing engineering leadership, gaining a grasp of the DevSecOps toolchain, and striking a balance between speed and security are some of the areas organisations need to focus on to succeed in their DevSecOps journey.

Speaking at a DevSecOps session hosted by Snyk at Cloud Expo Asia 2023, Dipin Thomas, engineering manager at Shopback, an e-commerce cashback platform, called for engineering leaders to set the vision and direction of their DevSecOps journey, invest in tools and provide enough time for teams to pick up the required skills.

“Once all of that is in place, you’ll have to constantly monitor and improve the process. You can’t just buy a tool with some budget and then forget about it. These are the things that leaders have to do,” Thomas said.

Madhi Periannan, chief technology officer of TASConnect, a supply chain finance platform developed by SC Ventures, Standard Chartered’s fintech investment and ventures arm, elaborated on the execution work needed to achieve DevSecOps outcomes, such as identifying and integrating the appropriate tools into the software development lifecycle.

For one thing, the developer integrated development environment (IDE) should be integrated into DevSecOps tools so that any vulnerability introduced knowingly or unknowingly can be flagged at the entry point of the code, he said. “We also have controls in place to ensure that no critical or high vulnerabilities are present before the developer checks in the code.”

Periannan said these controls – or “stage gates” – are integrated into development pipelines to scan containers and static ports to ensure that the minimum exit criteria are met, adding that tools like Snyk provide a comprehensive approval dashboard and indicate where problems are and where actions are required.

One challenge with DevSecOps is tool sprawl and the many dashboards and reports that engineering teams find themselves grappling with. However, whether and how an organisation should consolidate tools and reports would depend on its data requirements, Thomas noted.

For Shopback, speed is crucial, and therefore, only critical reports are sent to the company’s management team. “Another set of reports is sent to engineering department heads and engineers, but while reports are good to have, we can’t send them to every single person,” Thomas said.

The emphasis on speed does not mean that security takes a backseat for Shopback, which was fined S$74,400 in August 2023 by Singapore’s Personal Data Protection Commission for a data breach that compromised the personal information of over 1.4 million users.

Thomas said developers are given the freedom to build things quickly in the early stages, but as the build progresses, medium- and high-risk vulnerabilities are identified and addressed. “By the time we reach production, pretty much everything is solved and it’s rare that we have a build that was stopped because of security reasons.”

There are also quarterly check-ins with engineering teams to provide feedback on how they are doing in terms of the number of vulnerabilities that were introduced and resolved. “This gives them insights and encourages them to do better,” Thomas said.

Periannan said TASConnect has implemented objectives and key results (OKRs) for engineering teams to track vulnerabilities, and perform root cause analyses to determine how the vulnerabilities were introduced. “It’s easier for us to track at that level and then capture them as part of OKRs, which we review with our risk and compliance team regularly and roll up to the board as well.”

At the same time, organisations will also need to foster the right culture and empower engineering teams to make decisions on tools and processes. This will help reduce any friction that could hinder the broader adoption of DevSecOps, Thomas said.