A Gartner survey found that high collaboration between developers and security teams improves security results by 27 per cent. However, only 29 per cent of respondents say these two groups strongly agree with each other. When it comes to real-world practice, results and delivery, some small and medium-sized organisations still regard DevOps, DevSecOps and ‘Shift Security Left’ as uncertain concepts. For others, these methodologies are already part of their workflow, offering tangible benefits.
So what separates these two groups? And why do some organisations find it difficult to simplify day-to-day operations when adopting these methodologies?
A Winning Approach
It all comes down to one factor: the adaptation model.
The procedures, tools and cultural change that an organisation’s team must go through when adopting these methodologies or frameworks must be customised.There is no universal model.
At SORINT.lab, each client receives a proposal and a tailor-made operational model. Each assessment is unique and leads to specific results, because there are no identical solutions for different needs. Of course, there are common parameters, but a final adaptation plan, complete with feasible route, timing, tools and milestones, can never be valid for everyone. As far as I know, it is impossible,’ explains Mohab Abugabal, Strategist at SORINT.lab
Bringing security professionals, developers and operations teams together in a cohesive workflow is both simple and incredibly complex. Why? Because of the variables, factors that must be identified during the evaluation phase before an ‘effective’ roadmap can be drawn up. Examples of key variables from the customer side
- Maturity levels of the organisation and the team
- Project complexity
- Theoretical foundations
- Current practices and tools (if any)
- Challenges, objectives and goals
- Team alchemy, skills gaps and otherS
And much more.
At SORINT.lab, the evaluation phase is not complete until all key stakeholders (engineers, developers, security specialists and project managers) fully understand what is required to create an effective and results-oriented roadmap. Whether optimising an existing methodology or implementing a completely new working framework, in any case, at SORINT.lab the roadmap is always 100 per cent customised to suit the client’s specific business objectives and challenges.At SORINT.lab, the evaluation phase is not complete until all key stakeholders (engineers, developers, security specialists and project managers) fully understand what is required to create an effective and results-oriented roadmap. Whether optimising an existing methodology or implementing a completely new working framework, in any case, at SORINT.lab the roadmap is always 100 per cent customised to suit the client’s specific business objectives and challenges.
Here is an example of a workshop programme recently realised for a client:
- SSL overview: what it is and how it is used
- Collaboration between developers and security engineers
- Training developers on key vulnerabilities
- Creation of prevention workflows before product deployment
- Using dynamic and static analysis tools (DAST and SAST)
- Performing manual penetration tests
- Continuous monitoring during the entire product life cycle
For this programme, some of the points may seem obvious or logical, but here is what made a remarkable difference: 100 per cent of the examples used in the session were directly relevant to the client’s industry, current projects, the team’s level of expertise and the client’s current technology stack. Customised inputs, but not random. They were in fact the result of previous assessments conducted by the SORINT.lab team.
Thus, ensuring full alignment with the client’s team is what makes the difference. That is what effectiveness and relevance means.
Conclusion
A detailed analysis of the above-mentioned agenda, as implemented, will be the subject of a separate article. This will provide a practical understanding of how organisations can and should effectively integrate these methodologies into their software development workflow using relevant methods.