Black Hat Asia customer panel recap: How to lead DevSecOps adoption

DevSecOps is all about collaboration: facilitating a solid partnership between development and security teams. However, these collaboration efforts won’t succeed without help from leadership. Development and security teams need top-down support to set measurable goals, create a secure CI/CD pipeline, and establish a DevSecOps culture.

Three experts came together at Black Hat Asia 2023 to discuss how leadership can participate in fostering security success. The panel included Pablo Reyes, AppSec Lead at Woolworths, Dipin Thomas, Engineering Manager at Shopback, and Metarsit Leenayongwut, Engineering Manager at Coinhako. They mentioned five tips that leaders can consider as they head up their organizations’ DevSecOps initiatives. 

Focus on making gradual changes to the culture

According to the panelists, leaders should focus on fostering a company-wide DevSecOps culture. Pablo Reyes said, “Most of the time…we focus on tools, we focus on scripting automation, and we forget the most important part, which is the people, the culture…[leaders] need to show their commitment and empower the culture of adopting [DevSecOps] practices.” 

But as leaders establish a DevSecOps culture, they must remember that change takes time. Metarsit Leenayongwut said, “DevSecOps is a living process…it’s iterative, and you get to improve it over time.”

Establish effective communication right off the bat

Successful DevSecOps also requires a foundation of good communication. Leaders must establish feedback loops and aim for strategic rollouts. According to Dipin, communicating with the right stakeholders in the proper channels ensures “that everyone is on board. That's the important thing. After that, when we roll out tools, it's smooth…This also ensures that we have the right [communication] practices. We can give feedback to the developers faster and make sure that everything is good.”

It’s also essential to tailor communications to each group of stakeholders. For example, CISOs usually want information about the types of found vulnerabilities and how long it takes to fix them. By contrast, management wants to hear about the DevSecOps adoption rate and determine if the developers are satisfied with the chosen toolkits. Development teams want proof that DevSecOps practices will bring value to them and their existing workflows. Dipin recommends that security teams work closely with engineering teams and invite them to “test” the security tools’ capabilities on a small scale. This firsthand experience is a great way to prove the value of DevSecOps.

Collect the right metrics 

Sometimes, it seems like everyone has a different definition of “DevSecOps success.” Leaders should get everyone on the same page by establishing concrete goals and benchmarks. The panelists recommend focusing on tangible data like adoption rate, developer happiness, vulnerability count, and false positives. 

The Woolworths team also looks at metrics related to the application build and remediation process. Pablo's team asks questions like, “How frequently are we building? And what's a failure factor for our build pipelines?…how frequently are we deploying? Another one is ‘if there is a mistake, how much time does it take us to recover or to put it back to how it was?’” 

These metrics enable the application security and engineering teams to measure success. They also help the leadership team stay in the loop and see improvement over time.

Make security an enabler, not an auditor

In decades past, security professionals approached remediation with a “checklist” mentality. To facilitate DevSecOps success, leadership teams should encourage their security experts to become enablers instead. The security teams must remove any obstacles that prevent developers from fully participating in security initiatives. 

According to Metarsit, one way to foster this type of enablement culture is to “always integrate your security tools, end to end…many people have heard horror stories of the security team coming with this big binder of vulnerabilities and saying, ‘you're going to fix these thousand vulnerabilities.’ But by [integrating your tools] and collaborating, everyone can take part in fixing them.” 

Approach the process with adaptability and flexibility

If there’s one common thread between different enterprises’ DevSecOps programs, it’s unpredictability. Every leader should be ready to adapt and respond to the unexpected. Metarsit believes that the mark of a good leader is adaptability: staying open to new ideas and approaching DevSecOps with an improvement mindset. He said, “There will be new tools, technology, and methodology every day. Understand them and be open to them.”

Leaders should also consider hiring team members with this same mindset. Pablo said, “When you hire, make sure part of the selection criteria is soft skills…they need to be very flexible. They need to be willing to accept failures.”

Learn more about leading DevSecOps initiatives

Even though it takes the entire organization’s support to implement successful DevSecOps practices, the leadership team sets the tone for the whole process. To hear more leadership tips from the experts at Woolworths, Shopback, and Coinhako, check out their entire presentation. In addition, learn more about security in today’s software supply chains by visiting Snyk’s DevSecOps knowledge hub.