DevSecOps and Value Stream Management

319 VIEWS

· ·

Everything done within an organization should provide value to customers and other stakeholders. Value Stream Management (VSM) is a business practice that helps identify areas for improvement in a process to make operations more efficient and drive business value. In VSM, you need to know the value of the output and the value that each step in the process flow adds during the creation of the asset. A core tenant of lean management is that teams optimize value streams for what and how they do things. This commonsense approach is why VSM is valuable, especially in our modern digital economy. It has been adopted by more and more organizations since it was born out of Toyota’s manufacturing and business practices way back in the 1930s.

Of course, you may be thinking, “that makes sense, but what does this have to do with DevSecOps?”

Agile, Scrum, SAFe, and most other post-waterfall development methodologies involve developing software delivery flow and removing obstacles to deliver value faster and to increase productivity. DevOps focuses on figuring out how to integrate this into an organization’s culture and tooling so that the organization can achieve those streamlined flows. DevSecOps is the latest iteration, and it highlights security as a core value-add within DevOps practices. All the tooling involved in DevSecOps has one thing in common, it proves some level of automation that removes manual bottlenecks in the application build and deployment lifecycle.

Learn and Document Existing Processes

On any journey that involves utilizing DevOps as a part of software development, you need to use a lot of existing technology and processes. While a true fresh start can happen, that approach rarely works in the long term because services become so complex that migrating and rearchitecting them is a better use of time and money than rewriting from scratch. To start down this path, you need to learn the existing processes and technologies used by both software development teams and security teams to identify where to integrate principles like shift-left to a software development lifecycle (SDLC) to show off the value and efficiencies DevSecOps best practices can provide, like faster remediation of vulnerabilities.

As you learn existing processes and all the steps for taking a requirement from inception to production, it’s important to document the current state and why you performed each step. Even when you’re working with methodologies that appear “anti-documentation” (like Agile), that’s not the case; rather, they focus on value and eliminating overhead. As you build out a new pipeline to support existing applications, you want to make sure that every step has value. You want to make sure that you don’t lose the existing value that you are providing, so it’s important to document things “as-is” as well. You don’t need to write a master’s thesis that documents every little detail or who decided what, but you do need to capture the major steps.

Some of the information to capture includes:

  • Is the application built manually or with automation?
  • What test coverage and code container-based scanning is there?
  • Which stages of the continuous integration/continuous delivery (CI/CD) pipeline include them?
  • Are the security checks automated or manual?
  • Is infrastructure as code (IaC) in place to build the environments?
  • Is there a software manifest of all included components?
  • Are dependencies automatically imported using Maven or something similar?
  • Are there internal registries and repositories with approved versions?

Adapt and Optimize

Now that you know the existing state, it’s time to introduce tooling and processes built with DevSecOps practices that will automate the process from code to delivery as part of your VSM.

Some easy wins that will show value to stakeholders include the following:

  • Automating the application saves your developers’ time increasing productivity.
  • Adding application security testing to scan code for critical vulnerabilities (CVEs) and best practices using that automated build stage will enable you to catch issues immediately and address them before any time has been spent building environments and testing the application.
  • Having a central repository with approved versions of dependencies and automated dependency management frees developers from having to remember where to find the latest versions and which versions need an upgrade.
  • Using infrastructure as code to build your environment, including your cloud and Kubernetes stack, allows you to scan the environment in many ways to ensure that it complies with regulations and requirements. This will help keep organizations out of legal and contractual trouble with customers.

Conclusion

Combining Value Stream Management with the implementation and expansion of DevSecOps practices is becoming the best-of-breed approach to optimize every stage of development and security end-to-end. By having everything in a single pipeline with optimized value streams and checks and controls for vulnerabilities and misconfigurations, you eliminate time-consuming manual reviews at later stages of the development process flow. These manual steps add costs and become bottlenecks that cause unpredictable delays as projects make their way to becoming products. Documenting every step of the process and the value that it adds to the final service increases transparency, security, and the trust that stakeholders and customers will have in the final product. Ultimately, this process improves business metrics and customer value.

Learn what works for other cloud native security experts:

 The State of Cloud Native Security Report 2022


Vince Power is an Enterprise Architect with a focus on digital transformation built with cloud enabled technologies. He has extensive experience working with Agile development organizations delivering their applications and services using DevOps principles including security controls, identity management, and test automation. You can find @vincepower on Twitter. Vince is a regular contributor at Fixate IO.


Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published.

Menu
Skip to toolbar