More Silo Smashing Ideas, bringing InfoSec and DevOps together

Last week I wrote an article on InfoSec’s new mandate to smash silos and amplify feedback loops. In that article, there was a list of 7–8 ideas that I had heard people employ at various companies and organizations specifically geared to bridge the gap between InfoSec and everyone else. If you don’t experience this gap then it might be a good idea to self-evaluate with these handy questions:

• Am I part of the problem and naive about how disconnected I am?
• Has my organization resisted modernization? (If your cycle time is months or quarters then yes, more introspection is required and the rest of this article probably won’t solve your core problem.)
• Am I participating in—knowingly or unknowingly—Bimodal IT? (Jez Humble has a great post on this.)

Hopefully, dear reader, those above questions don’t apply to you and you aren’t ignorant of the gap between InfoSec and everyone else. You get it and you want to do something about it. Congratulations on being awesome.

Now, onto silo smashing ideas

In the last article we listed these ideas to help InfoSec bridge the gap:

• Attend standup meetings or other agile implementations in the development team.
• Use the tooling of the group you are trying to unite with; say your developers use Jira to track on defects, so when you find a vulnerability you should—no surprise here—use Jira to track it.
• Attend each other’s conferences (devs go with security and security go with devs).
• Host a capture the flag competition for developers with sweet swag and bragging rights.
• Share security data in a self-service way (dashboards, APIs, …) not to be confused with push mechanisms (email, pdf, …).
• Find a security champion in each group and deputize—winners of the capture the flag competition might be a good place to start.
• Pursue automating compliance in the config management stack.

I also asked our readers to send in more ideas, and they sent in some really great additions to the list.

Our awesome readers suggest…

• Standing weekly CTF working sessions (not just a one-off). (via Chris Eng of Veracode)
• Send security folks to ScrumMaster training. (via Chris Eng)
• Learning lunches on security topics open to entire company. (via Chris Eng)
• A fun one that we do—lock pick training as a part of new employee induction. Offense, defense, and vuln all at once. (via caseyjohnellis of Bugcrowd)
• Spend 2 days or more offering to help the team with THEIR work. Do what they do, help w/”scut” work (via Matt Jane)
• We built an internal app sec resource site for developers instead [of just sending them links to OWASP] (via David Rook of Riot Games)

The DevOps Roadmap for Security

This is Signal Sciences’ DevOps Roadmap for Security e-book. This book will go over rugged principles, practices, and tooling.

Free Ebook

This list is still growing with ideas and the more we experiment with bringing InfoSec into modern, fast-paced DevOps geared organizations the more we are going to learn. I would love to hear from you either in the comments on this article or via twitter, just mention @wickett in your tweet with the hashtag #silosmashing and you too can make future updates to this list!

At Signal Sciences we are building the industry’s first Next Generation Web Application Firewall (NGWAF). Our NGWAF was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and continuous delivery. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.