DevSecOps practices are essential to delivering software safely and securely within DevOps value streams.
To get maximum security protection from DevSecOps, it is essential to use recommended best practices, including people, processes, and technologies. A gap assessment is a great way to efficiently evaluate an organization's practices for DevSecOps and determine a strategy for improvement. In addition, gap analysis provides valuable inputs for formulating a strategy and roadmap to improve a topic, including DevSecOps.
The name "SecDevOps" is gaining favor over "DevSecOps" when integrating security practices with DevOps practices. This is more than simply "putting Security First" in the name. SecDevOps security concerns are explicitly prioritized higher than other concerns at every stage in the DevOps value stream. This makes sense, given the blast radius of security events versus other quality concerns that DevOps addresses.
My SlideShare Gap Survey, Assessment and Analysis For DevSecOps explains how my 9 Pillars Gap Assessment Tool dramatically speeds up the gap survey, assessment, and analysis process for DevSecOps.
Clarifying a few definitions for these purposes is important because I have found that different people and organizations use these terms differently.
In this blog and my consulting work, I use the following definitions:
- Gap survey is a discovery tool used to collect information about a topic's current state of practice.
- Gap assessment is a process to determine differences (gaps) between current practices and recommended practices for a topic. Gap assessment is also used to refer to the entire collection of activities in this list.
- Gap assessment workshop is a meeting in which the gap assessment is validated prior to gap analysis.
- Gap analysis is the process of determining priorities for reducing the gaps found during a gap assessment.
- Gap assessment tool is software that helps perform gap surveys, gap assessments, and gap analyses.
For those who want to dig deeper into this topic, additional definitions and contextual information related to how I do gap assessments are clarified in my book Engineering DevOps.
The Seven-Step Process for Gap Assessments
The steps are as follows:
- Pick a topic to analyze. The same processes and tools can be applied equally well to almost any topic.
- Determine recommended practices for the topic. Something worth doing a gap assessment for, such as DevSecOps, will generally be pretty complex with tens, if not hundreds, of practices. Categorize the practices into groupings (I call the groups "pillars") to make the list of practices more understandable and meaningful. Doing this will require some research and work. For example, I have a database of practices and pillars for DevOps, continuous testing, DevSecOps and SRE, and other topics such as containers.
- Enter the chosen practices into a gap assessment tool. The tool can be a simple survey tool you create, a commercial survey tool, or something custom-made.
- Determine who needs to be included in the gap survey.
- Collect data using the gap survey.
- Perform a gap assessment.
- Perform a gap analysis.
Let's take a look at the above seven steps for DevSecOps.
Step 1: Pick a Topic to Analyze
For our purposes here, the topic is DevSecOps.
Step 2: Determine Recommended Practices for DevSecOps
For an example DevSecOps assessment, I used the practices under nine practice categories described in a blog that I co-authored called 9 Pillars of Continuous Security Best Practices. The nine practice category pillars are:
- Collaborative culture
- Design for DevOps
- Continuous integration
- Continuous testing
- Continuous monitoring
- Elastic infrastructure
- Continuous delivery
- Continuous security
Step 3: Enter the Selected Practices into a Gap Assessment Tool
You can find and download a free gap assessment tool, pre-loaded with a sample of DevSecOps practices in a file called DevSecOps Assessment, from one of the resource pages found on my website, EngineeringDevOps. You can edit the practice categories and add/delete practices from each category if you prefer to make changes.
Step 4: Determine Who to Include in the Gap Survey
For the gap analysis to be comprehensive, people in roles affected by container practices need to be surveyed, or at least represented, to ensure their perspectives are included. Some example roles that are typically included:
- Business leaders - because leaders influence culture and budgets for DevSecOps.
- Developers - because developers need to design by DevSecOps practices.
- Project owners - because they influence product work priorities.
- QA testers - because they need to test by DevSecOps practices.
- Ops - because DevSecOps practices affect operations.
- Security - because DevSecOps practices affect security practices.
The survey can be conducted for an individual application, a group of applications, or all the applications in the enterprise. First, however, the gap assessment and gap analysis must be performed on the organizational segment that is being targeted for improvement.
Step 5: Collect Data Using the Gap Survey
A gap survey should allow each surveyed person to enter an "Importance Level" score, a "Practice Level" score, and comments for each practice. All this information is essential for the gap assessment and gap analysis. For example, in the gap survey included in my gap assessment tool, survey respondents are asked to score the importance of each practice as one of the following:
- 0=not relevant
- 1=not important
- 2=nice to have
- 4=very important or
Practice-level choices are the following:
- 0=not sure
- 1=rarely, if ever
- 2= sometimes
- 3=most of the time
- 4=always or
- 5=we are good at this
Comments relevant to qualify or explain the scores entered for each practice should also be entered, especially if there is any doubt or ambiguity.
Step 6: Perform a Gap Assessment
The gap assessment process requires all the practice scores collected from the surveys to be collected and assembled to calculate an aggregate set of scores. Gap scores are calculated using a formula that weights each practice level score with the corresponding importance level score. A visual representation helps identify practice areas and individual practices that have the highest, most important gaps.
No matter how professionally written the practices and score definitions are, it is not unusual for some people to misunderstand and enter scores they would not otherwise have. For this reason, it is crucial to validate the data collected before conducting the gap analysis. The preferred approach is conducting a gap assessment workshop with key representatives from each role participating in the survey. During the workshop, the scores for each practice with a high deviation between survey responses are discussed and adjusted if necessary.
Step 7: Perform a Gap Analysis
The gap analysis process involves extracting the high-gap practices and tagging and ranking each of them against solution categories that a consultant or topic expert determines.
The gap analysis results indicate where solution strategies and implementation roadmaps need to be focused on to reduce the most critical gaps.
What This Means
While it is clear that DevOps offers immense value for software deployment, adherence to best practices for DevSecOps is essential to reduce risk and assure security. Each organization is different and has different security postures. Therefore, the appropriate practices, security tools, and appropriate metrics may vary according to a risk assessment for each organization. This blog explains a gap assessment approach using my nine pillars of best practices for DevSecOps. My free DevSecOps assessment tool facilitates a gap analysis for DevSecOps and priorities to improve DevSecOps practices for an organization.
This piece was originally posted on May 10, 2021, and has been refreshed with updated styling.