RSA 2022: A Roadmap for Building Enterprise-Scale DevSecOps

After an avalanche of high-profile cyberattacks, Broadcom Software is seeing the importance of shift-left security finally resonating with development organizations. Yet many still struggle to seamlessly integrate DevSecOps into a widely adopted enterprise framework.

There’s no question that DevSecOps, which aims to transparently meld security practices into holistic agile IT and DevOps processes, has gained traction in the wake of the SolarWinds supply chain attack and Log4J vulnerability, among a litany of other breaches. According to Gartner, 90% of software development projects are expected to follow DevSecOps practices this year, significantly up from 40% in 2019. Nevertheless, 70% of DevOps professionals said they lack the necessary formal education and training in order to successfully execute DevSecOps practices, according to another survey.

ADP, the human resources services and payroll giant, is in the midst of an on-going journey to address disjointed DevSecOps practices, and the project’s leaders highlighted its strategy and solution at a panel discussion at the 2022 RSA Conference.

ADP identified the need for enterprise-scale DevSecOps for a variety of reasons, all coalescing around the fact that autonomous development groups operate with a great deal of variability, impeding visibility into security problems and limiting any ability to remediate consistently. Most development groups rely on different technology stacks, with each taking its own approach to detecting and closing security vulnerabilities. Silos prevent a uniform view of the security state of applications across individual departments and make it difficult to enforce a uniform level of compliance across the greater enterprise. There are also numerous flavors of scanners available, making it difficult to process vulnerability feeds and cut through scanner noise.

“Autonomous groups and multiple products—that’s the heart of the enterprise DevSecOps problem,” said Prateek Mishra, senior director, security architecture in the CTO office at ADP, during the RSA panel, entitled “Building an Enterprise-Scale DevSecOps Infrastructure: Lessons Learned.”

Another big obstacle to enterprise-scale DevSecOps: Ensuring that development teams are only tasked with the security vulnerabilities relevant to them given the broad scope of application artifacts, from git branches to build processes to docker containers. The lack of information sharing among development teams, coupled with a general lack of remediation guidance were on-going challenges.

ADP’s solution was an enterprise-scale DevSecOps fabric that would bridge the silo mentality through shared infrastructure and an extensible framework. The layered architecture enables developers to plug-in their preferred development tech stacks and CI+CD frameworks while also processing and managing security vulnerabilities from diverse scanners and security information sources. The team built a software workbench out of both stock components and open source tools, ensuring a standardized way to display vulnerabilities along with a uniform approach for packaging scanner elements into docker images. The current focus is on integration with Jenkins-based pipelines, but the enterprise DevSecOps workbench is designed to expand to others, as needed.

One of the central pillars of the ADP enterprise DevSecOps framework is creating linkages between repositories and projects and relevant products and product teams based on machine readable meta-data. The goal was to enable fine-grained vulnerability reporting at the repository and artifact level as well as to expose the extent of security maturity across divisions and products.

“This was a big part of our design,” said Gaurav Bhargava, ADP’s director of product management, developer experience, adding that they created a web GUI to connect relevant artifacts to teams and products, so people are keyed into what’s relevant to their projects. “It’s a big part of the culture change—it lets them start using the platform and addressing these issues,” he added.

Takeaways and lessons learned

Along with the Workbench tool, the ADP leaders outlined several best practices to facilitate the requisite culture change:

Gain stakeholder buy-in. It’s important to get everyone, from development teams to leadership, on the same page. ADP built a proof-of-concept to illustrate the advantages of enterprise-scale DevSecOps, which helped foster buy-in.

Get clarity on the specifics. Make sure selected tools support the various teams’ requirements and tech stacks while gaining consensus on how security vulnerabilities should be surfaced. Enlist champions and establish regular feedback mechanisms.

Develop a process for remediation timelines and priorities. Not every security issue is easily fixed so it’s critical to have an agreed-upon tracking and remediation process. Training and office hours were an important part of this exercise.

Mishra caution that the process is a marathon, not a sprint. “We’ve been at this for 18 months and we’re getting to a certain level of maturity,” he noted. “However, there are always new threats, new issues, new analyses, but we’ve established a baseline.”

To learn more on how Broadcom Software can help you modernize, optimize and protect your enterprise, contact us here.