DevSecOps practices are essential to deliver software safely and securely within DevOps value streams.
To get the maximum security protection from DevSecOps, it is important to use recommended best practices, inclusive of people, processes, and technologies. A gap assessment is a great way to efficiently evaluate an organization’s practices for DevSecOps and determine a strategy for improvement. Gap analysis provides valuable inputs for formulating a strategy and roadmap to improve a topic including DevSecOps.
The name “SecDevOps” is gaining favor over “DevSecOps” when it comes to integrating security practices with DevOps practices. This is more than simply “putting Security First” in the name. With SecDevOps security concerns, at every stage in the DevOps value stream, are explicitly prioritized higher than other concerns. This makes sense given the blast radius of security events versus other quality concerns that DevOps addresses.
My SlideShare Gap Survey, Assessment and Analysis For DevSecOps explains how my 9 Pillars Gap Assessment Tool greatly speeds up the gap survey, gap assessment, and gap analysis process for DevSecOps.
It is important to clarify a few definitions for these purposes because I have found that different people and organizations use these terms differently. In this blog, and in my consulting work, I use the following definitions:
For those who want to dig deeper on this topic, additional definitions and contextual information related to the way I do gap assessments are clarified in my book Engineering DevOps.
I define a seven-step process for gap assessments. The steps are as follows:
Let’s take a look at the above seven steps for DevSecOps.
Step 1: Pick a Topic to Analyze
For our purposes here, the topic is DevSecOps.
Step 2: Determine Recommended Practices for DevSecOps
For an example DevSecOps assessment, I used the practices under nine practices categories described in a blog that I co-authored called 9 Pillars of Continuous Security Best Practices. The nine practice category pillars are:
Step 3: Enter the Selected Practices into a Gap Assessment Tool
You can find and download a free gap assessment tool, pre-loaded with a sample of DevSecOps practices in a file called DevSecOps Assessment, from one of the resource pages found on my website, EngineeringDevOps. You can edit the practices categories and add/delete practices from each category if you prefer to make changes.
Step 4: Determine Who to Include in the Gap Survey
For the gap analysis to be comprehensive, people in roles that are affected by container practices need to be surveyed, or at least represented, to ensure their perspectives are included. Some example roles that are typically included:
The survey can be conducted for an individual application, a group of applications, or all the applications in the enterprise. However, it is important that the gap assessment and gap analysis be performed on the organizational segment that is being targeted for improvement.
Step 5: Collect Data Using the Gap Survey
A gap survey should allow each surveyed person to enter an “Importance Level” score, a “Practice Level” score, and comments for each practice. All this information is essential for the gap assessment and gap analysis. In the gap survey included in my gap assessment tool, survey respondents are asked to score the importance of each practice as one of 0=not relevant, 1=not important, 2=nice to have, 3=important, 4=very important or 5=critical. Practice-level choices are 0=not sure, 1=rarely, if ever, 2= sometimes, 3=most of the time, 4=always or 5=we are good at this. Comments that are relevant to qualify or explain the scores entered for each practice should also be entered, especially if there is any doubt or ambiguity.
Step 6: Perform a Gap Assessment
The gap assessment process requires all the practice scores collected from the surveys to be collected and assembled to calculate an aggregate set of scores. Gap scores are calculated using a formula that weights each practice level score with the corresponding importance level score. A visual representation helps to identify practices areas and individual practices that have the highest, most important gaps.
No matter how professionally written the practices and score definitions are, it is not unusual for some people to misunderstand and enter scores that they would not otherwise have. For this reason, it is important to ensure that the data collected is validated before conducting the gap analysis. The preferred approach is to conduct a gap assessment workshop with key representatives from each role that participated in the survey. During the workshop, the scores for each practice that have a high deviation between survey responses are discussed and, if necessary, adjusted.
Step 7: Perform a Gap Analysis
The gap analysis process involves extracting the high gap practices and tagging and ranking each of them against solution categories that are determined by a consultant or topic expert.
The result of the gap analysis indicates where solution strategies and implementation roadmaps need to be focused to reduce the most important gaps.
What This Means
While it is clear that DevOps offers immense value for software deployment, the adherence to best practices for DevSecOps is essential to reduce risk and assure security. Each organization is different and has different security postures. The specific practices, security tools, and metrics that are appropriate may vary according to a risk assessment for each organization. This blog explained a gap assessment approach, which uses my nine pillars of best practices for DevSecOps. My free DevSecOps assessment tool facilitates a gap analysis for DevSecOps and priorities to improve DevSecOps practices for an organization.