Insights

Today's technical landscape continues to evolve faster and faster, and the need for a DevSecOps culture becomes extremely necessary.

Through support from Capacitas, the United Kingdom Health Security Agency (UKHSA) recognised the significance of this culture shift, and we have embarked on a journey to integrate DevSecOps best practices into its technical ecosystem. Let us explore how this transformation is taking shape within UKHSA and why it is crucial in the modern software development landscape at any organisation. 

Prioritising Tech - Automation and Cloud

At the heart of a DevSecOps approach is a commitment to automation and cloud technologies. UKHSA acknowledges the importance of standardising toolsets, ensuring that teams across the organisation have access to the same automation capabilities. This standardised tech stack forms the foundation for efficient and secure software development and delivery. 

Quality and Security Assurance Throughout the Lifecycle

DevSecOps is not just about security but also about democratising quality assurance and monitoring. UKHSA aims to empower DevOps teams to take ownership of security, quality, and monitoring. By integrating these aspects throughout the development lifecycle, teams can identify and address issues in real-time, reducing the risk of vulnerabilities and defects reaching production. 

Culture of Ownership

A crucial aspect of DevSecOps is fostering a culture of ownership within teams. Every team member is encouraged to follow the DevSecOps operating model. Maturity assessments are conducted to ensure that all teams are aligned with best practices and continuously improving their processes. 

Optimising the Delivery Triangle 

DevSecOps aims to optimise the "delivery triangle" composed of speed, cost, and delivery quality. It's not about cutting corners or overspending but achieving a balance through the principles mentioned above. By prioritising tech, ensuring quality, and instilling a culture of ownership, UKHSA seeks to streamline the software delivery process.

Benefits of Embedding Engineering Culture

• Faster Software Rollout: With DevSecOps practices in place, UKHSA can increase the cadence of product delivery. Bugs and vulnerabilities are identified and resolved in real-time during development, leading to quicker and more reliable software releases. 

• Lower Operating Costs: Continuous development pipelines catch and eliminate bugs during monitoring, reducing the costs associated with addressing them post-release. 
• Reduced Resistance to Change: The "little and often" approach of DevSecOps reduces resistance to change within organisations. Teams collaborate more closely, fostering a culture of cross-collaboration and innovation. 
• Reduced Gaps in Knowledge: Through online education and communication, UKHSA's developers are becoming more aware of security best practices. This reduces gaps in DevSecOps expertise within the organisation. 
• Increased Security: DevSecOps processes inherently lead to increased security. Engineers consistently review code for vulnerabilities, and improved communication and transparency enhance vulnerability patching efforts.
• Increased Compliance: DevSecOps enables UKHSA to develop products that meet international data security requirements, ensuring compliance with regulations.

Fundamental DevSecOps Principles

Through joint efforts, the importance of adhering to key DevSecOps principles has been reinforced across UKHSA product delivery teams. The primary principles to consider in any DevSecOps engagement are as follows:

• Automation: Automating end-to-end processes to optimise, secure, and assure products. For instance, creating pipelines for automated testing (wherever feasible) to ensure the quality of the product; Capacitas was able to create a GitHub Actions-triggered security scanning pipeline for the Covid Dashboard project, which served to automatically trigger comprehensive code and vulnerability scans upon any push or commits actions to a GitHub repository.  
• Tool Utilisation: Leveraging the correct tools for various aspects of the development process, such as CI/CD and release management 
• Continuous Compliance: Maintaining a continuous state of compliance with best practices 
• Regression Testing: Implementing automated regression testing to ensure product stability 
• Agile Principles: Embracing small, frequent releases based on agile principles 

• Modular Architecture: Utilizing modular architecture and elastic infrastructure to support changing demands 
• Security Mindset: Cultivating a security mindset across all team members and stakeholders 
• Threat Preparedness: Developing plans for addressing threats and IT disaster recovery 
• Addressing Vulnerabilities: Proactively addressing vulnerabilities and bugs 
• Building a DevSecOps Culture: Nurturing a culture that champions DevSecOps principles and investing in training and skills development 

• Collaboration: Collaborating with other teams to spread the DevSecOps culture throughout the organization 

The journey towards a DevSecOps culture within UKHSA is driven by a commitment to optimising software delivery while maintaining high quality, security, and compliance. By prioritising automation, quality assurance, and a culture of ownership, UKHSA is well on its way to achieving a more efficient and secure technical landscape. This cultural shift not only benefits the organisation but also contributes to the broader transformation of software development practices in today's dynamic world.