By Hayden Smith
With the new fiscal year upon us, you might be looking at some big goals for the year ahead. Fresh budgets make the best time to give your purchases a security refresh. Use your funds to make an impact that returns results all year long.
What’s the spending strategy here? Simply this: A culture that values innovation seeks solutions for smarter ways to work, and along with that are tools that can accelerate collaboration, communication and transparency.
Since I’m not advocating for any particular products, vendors, or brands, you’ll need to rely on folks in your agency to point you toward specific buys that fit your operations.
1. Training: I’m a huge advocate for hiring smart folks and training them up to the levels your agency needs. Strongly consider the ROI of investing in developer boot camps, Kubernetes classes, or whatever skill your team currently lacks.
Rationale: Education is good for employee retention and great for operations. Imagine the impact of having an entire development team earn industry certifications or DevOps accreditations, deepening their understanding of DevSecOps and other security methods in general.
2. DevSecOps transformation: Consider taking a cue from Oprah and delivering DevSecOps tools from your developers’ wish list. You get a DevSecOps tool! You get a DevSecOps tool! Everybody gets DecSecOps tools!!
Your team has undoubtedly mentioned adopting tools to automate secure development practices to help enable DevSecOps. With funds to spend, now is the time to make it happen.
Rationale: Only your team knows what kinds of tools can make their lives easier or work more efficiently. Chances are if they have already mentioned or asked for it, they’ve already done their homework to vet it. Spending on your developers can translate into increased morale and better retention.
3. Manual process automation tools: The shift-left mindset calls for increasing automated security checks during the development and build processes, freeing developers for more mission-critical tasks.
Rationale: Any kind of security automation eases the burden on developers and improves efficiency. Automation also speeds up release cycles for greater innovation and responsiveness to your agency’s changing needs.
4. Compliance automation tools: Your team will appreciate tools that automate security scanning and compliance checks. Focus on solutions that scan packages for vulnerabilities and security issues before they enter the production environment, protecting your assets and saving developers remediation time.
Rationale: Automation is a force multiplier, freeing up your personnel while helping control costs and increase velocity. Choosing a tool that tells developers which controls are failing helps drive a shift left culture and can lead to a more satisfied workforce, where developer, security and operational teams collaborate.
5. Reporting tools: Developers and agency leadership can use dashboards, visualization, and monitoring tools to better understand development pipelines, schedules and security vulnerabilities.
Rationale: Tools that report out various aspects of software development help maintain control over the entire development pipeline, allowing your team to utilize new container technologies while keeping everyone comfortable with the process – and aware of the results.
One last tip for shopping success: Security tools don’t need to be fancy to be impactful. There are lots of open-source tools and software that encourage DevSecOps and drive efficiency!
Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.
Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.
This article first appeared October 13, 2021.