DevSecOps Transforms the Dana Foundation

There’s a growing recognition that DevOps is critical for digital transformation. Yet, as many CIOs have learned—sometimes the hard way—establishing a business and IT framework based on agility and flexibility is a complex task.

Incorporating security into DevOps is even more difficult. After all, DevOps is more than a technology, and it’s more than a one-off project. It’s a delivery process that requires completely rethinking and reinventing development and operations.

One organization that has made a successful journey is the Dana Foundation. The endowment-based entity, which funds research in the field of neuroscience and operates a publishing arm, recognized that waterfall development methods were no longer adequate, says CIO James Rutt.

“It was very costly to rework applications that we were developing,” he recalls. “There was no solid security posture early on in the development lifecycle, and we were not utilizing some of the most up-to-date software development tools available.”

Two key areas of development stand out for Dana Foundation. The first is web development related to grant management, which includes overseeing grantees and consultants that approve grants. “There’s a lot of information and operational items involved in the process,” Rutt says.

The second area centers on the organization’s publications and outreach program, including an annual brain awareness week. “About 70 percent of our web development involves applications that support this initiative,” he notes.

Adopting a DevSecOps Framework

After surveying the marketplace and then testing technology for a few months, the Dana Foundation adopted a DevSecOps framework based on a platform from CYBRIC. It went live with the platform in early 2017.

“We had two primary concerns: code quality and code security,” Rutt explains. “We were especially focused on reducing well-known vulnerabilities that are part of the OWASP Top 10. This includes issues such as cross-site scripting and cross-site forgeries.” The security-as-a-service approach produces exact replicas of an application environment and aggressively scans for security vulnerabilities.

The results have been impressive. “Developers are more productive, they don’t have to be involved in as much rework, and we have dramatically improved our security posture,” Rutt says.

While the DevSecOps initiative has helped the organization move faster, that’s only part of the story. The approach also has helped the foundation secure its code and systems more effectively. The organization has achieved between a 40 to 50 percent reduction in code vulnerabilities, he adds.

The biggest challenge, Rutt says, was helping the development team fully understand the advantages of a DevSecOps approach. “Some of them didn’t know how a continuous delivery model works and how security could be integrated into the development lifecycle,” he explains.

“Once we communicated the benefits of DevSecOps, the [development team] became very excited about it. They realized their daily tasks and work would change, but that it was ultimately going to make their jobs easier and produce better and more secure code for the organization.”

Rolling out the technology was simple and straightforward, Rutt says. The cloud-based framework allowed the Dana Foundation to minimize disruption.

“We simply integrated the approach into our development pipeline,” he reported. “We are much better prepared to deal with today’s business and cyber-security environment.”