Enterprise DevSecOps is the union of Agile development, security, and operations. Organizations have experienced some notable success in integrating two of the three pillars of long-term competitive advantage and strategy, alternately benefitting from DevSec, SecOps, and DevOps with each of their hybrid emphasis. However, the real benefit to organization’s bottom line and market advantage is realized by aligning all three functions. It is easy enough to theorize about what DevSecOps is and what it does. The challenge, though, is how to implement enterprise DevSecOps in a practical and functional way.
Throughout our series on enterprise DevSecOps, we looked at the union of DevSec and SecOps, and at infusing security throughout DevOps. In the former, the union results in a focus those tools and processes which will provide end-to-end security for the operational system without compromising uptime or runtime quality. With the latter, the result is prioritizing security at the scale of the entire DevOps portfolio. Combining these – that is, rolling out tools and processes that provide prioritized end-to-end security at the scale of the DevOps portfolio – is an effective means to implement enterprise DevSecOps in your organization.
ThreatModeler™ is the Tool for Enterprise DevSecOps
ThreatModeler™ is the world’s first enterprise DevSecOps implementation solution. Whereas traditional threat modeling tools provide some efficiency in analyzing single applications in isolation, ThreatModeler™ is fundamentally an enterprise solution, benefitting stakeholders throughout the organization.
The ThreatModeler™ platform enables the CISO to manage organizational risk by yielding:
- An in-depth understanding contemplated or deployed compensating controls;
- Thorough appreciation of the assets which attract attackers; and
- Analytical insights to the comprehensive attack surface through which attackers will initiate their activities.
ThreatModeler™ also provides consistent, concrete and actionable output to the DevOps and Security teams with:
- Automating the threat modeling and threat identification process based on application and system architecture;
- Seamless integration with Agile workflows and toolsets;
- Collaboration across all functional roles; and
- Transforming real-time threat intelligence into role-based actionable output, including cascading synchronization of new threats within existing threat models.
How to Implement Enterprise DevSecOps
Agile is a methodology. DevOps is a culture. Enterprise DevSecOps is the process of infusing security end-to-end throughout that culture and methodology. However, DevSecOps is more than a slogan that security is everyone’s concern. Practical infusion of security at the scale of the entire DevOps portfolio, and keeping up with iterative Agile sprints requires more than motivational phrases. It requires tools and processes that automate the infusion, which transforms security considerations into a self-serve model from which security experts and non-experts alike may collaborate and align their functions for the fulfillment of business goals. Thus, to implement enterprise DevSecOps in a practical, systematic way, organizations need to roll out an enterprise threat modeling practice powered by ThreatModeler™.
A three-phase roll-out of enterprise threat modeling may take 12 months to complete:
- The Initial Phase may take only three months during which the security team creates 15 – 20 threat models with ThreatModeler™. The focus of this phase is to introduce the threat modeling tool and process to the security experts so they can develop a repeatable process, learn how to generate security requirements and test cases consistently, and build a central threat library from threat intelligence feeds.
- The Transitional Phase may take another three months to complete. During this time the security team introduces ThreatModeler™ to the application and system architects and shows them how to whiteboard their projects and iterations on the diagramming canvas. Developers and ops teams learn how to utilize ThreatModeler™ to track the progress of implementing security requirements at each phase of their sprints. As a target, each team creates and keeps up to date 20 – 30 new threat models out of their entire portfolio.
- The Universal Phase may take another six months. During this phase, all DevOps teams participate in the threat modeling initiative and transition to using ThreatModeler™. By the end of this phase, the organization will be able to study its top-ten threats, ten most vulnerable applications, and will be well on its way to constructing an analysis of its comprehensive attack surface.
As the organization continues to work with ThreatModeler™, it will infuse security end-to-end throughout the DevOps culture and Agile production methodologies – which is, of course, to implement enterprise DevSecOps. The result is the alignment of the various functions of development, operations, and security with the overarching business goals and strategy.
To learn more about how enterprise threat modeling helps implement enterprise DevSecOps practically,