Do DevSecOps with AWS to practice cybersecurity vigilance

No, you don't have to call it DevSecOps

Many see DevSecOps and DevOps as one and the same. Ultimately, it doesn't matter what you call it, as long as you practice it.

In their AWS re:Inforce talk, "It's in my backlog: The truth behind DevSecOps," Randall Brooks, engineering fellow at Raytheon, and Shawn Harris, managing principal security architect at Starbucks Coffee Co., agreed with Schmidt's point in his keynote. When DevOps first started, security was included in the ops, they explained, but the race to integrate development and operations together in CI/CD pipelines relegated security practices to the back burner. DevSecOps doesn't shove security between development and operations but, again, emphasizes security practices and responsibility through everything an organization does, they said.

Organizations can call their process whatever they want, as long as they enforce security throughout, said Rich Mogull, a re:Inforce attendee and VP of products at DisruptOps, a security platform for multi-cloud infrastructure. Organizations don't necessarily need a DevSecOps team, especially if it's just another team thrown between development and operations. However, organizations should have a security automation team -- call it whatever you want -- that streamlines compliance and security practices for every step of the CI/CD pipeline, he said.

Likewise, while using AWS doesn't require customers to operate with a DevOps or DevSecOps team, organizations with siloed development, operations and security teams won't get the most out of the platform, Schmidt said.

DevSecOps with AWS

AWS has tried to address the cloud security issues that have arisen due to scale and the security skills shortage with features and services that simplify security and compliance posture. However, organizations can't do DevSecOps by simply opting in to AWS security defaults and its bread-and-butter security services, such as Identity and Access Management, Key Management Service and Security Hub. Ultimately, organizations are responsible for their own DevSecOps approach, Mogull said.

Under its shared responsibility model, AWS guarantees the security of its cloud platform, from regions and availability zones to core services, such as compute, storage, databases and networking. But AWS customers must ensure security for what they configure and operate on top of that infrastructure, such as encryption, firewall configurations, and identity and access management.

AWS provides customers some of the tools to do DevSecOps. Many AWS services include helpful security defaults, such as a built-in firewall for EC2 VMs and a setting to block S3 public access. Amazon also offers cloud security services, such as Amazon Inspector, which checks for proper configuration of your Amazon resources, and Amazon GuardDuty, which looks for behavior of instances that goes against AWS' best practices.

DevSecOps in AWS requires custom automation based on collaboration between developers and security engineers. Organizations must integrate security and eliminate siloed approaches. This means automating security practices as AWS Lambda functions and incorporating API calls and CloudWatch events, Mogull said.

The best way to get good code is to have developers on call when their code breaks, Schmidt said. This requires a cultural shift within organizations that AWS can push for but not force.

Brooks and Harris suggested a few ways organizations can kick-start this culture shift. They can embed application security engineers into development teams or have security engineers train developers interested in security and reward these developers as "security champions." From there, developers can start to automate static code analysis with Lambda.