2019 CSO50 Awards

Verizon builds a DevSecOps culture with its developer dashboard

Verizon's developer dashboard not only records how vulnerabilities are introduced and by whom, but provides indicators as to why. The goal isn't to name and shame, but to instill a secure-by-design mindset.

DevOps and the cycle of continuous integration and continuous delivery have become common software development practices. But the integration of development and operations still often leaves security as an afterthought tacked onto the end. This has led to the creation of the DevSecOps concept.

DevSecOps aims to integrate security into every stage of the development processes, meaning everyone is involved in ensuring applications are secure. This can, however, be a hard sell for developers and business leaders who are more interested in results and moving into production. 

Telecom giant Verizon is one such company looking to combine its DevOps practices with a secure-by-design approach. To encourage that culture change, the company created a developer dashboard — a project that earned Verizon a CSO50 award for security innovation.  

Driving culture change

Verizon is the second largest telecom company in the U.S., boasting revenues of $131 billion in 2018 and over 140,000 employees worldwide. Originally formed from the breakup of the AT&T Corporation’s Bell System Corporation, today the company offers a range of telecom hardware, services, and infrastructure to consumers and businesses.

manah khalil verizon Verizon

Manah Khalil, IT director - application security, Verizon

As Verizon IT worked to implement DevOps processes and move more applications to the cloud, the AppSec team needed a way to facilitate secure DevOps practices and help drive a culture change within the company. “We needed something that is more sustainable that can help us build a larger influence of our centralized team, and at the same time, not burn the IT application team by keep dumping more work on their to-do list,” explains Manah Khalil, IT director of application security. 

Khalil and his team are responsible for application security across all of Verizon’s businesses and IT portfolios. Khalil's team also handles security education and awareness among the company’s developers.

To help drive DevSecOps adoption and nurture a security culture, Verizon created the developer dashboard program. It combines technical aspects of vulnerability management with individual accountability to help instill a security mindset among the company’s developers.

Finding insights in developer data

The developer dashboard is a centralized, real-time record of how vulnerabilities are introduced into applications within Verizon’s business. It keeps track of scanning frequency and results, as well as the types and density of vulnerabilities within any one of the 2,100 applications being monitored (measured per 10,000 lines of code). It provides a view of where in the development lifecycle that vulnerability was introduced and by whom.

The dashboard also ties in with learning management systems (LMS) and organizational charts and responsibilities. This provides insight into whether certain teams or individuals are spread too thin across too many applications or projects, are repeatedly making the same kinds of errors, and have had or need more education and training.

“Typically, in a software, you can measure the number of vulnerabilities, you can measure the density, but how does it relate to the culture?” says Khalil. “You have so many dashboards out there; dashboards that are looking at your build quality, at your code quality, how often are you generating new builds, testing it, deploying, etc,” he says. “But those are more meant as a to-do list; the achievements that you've done and your technical debt, and by when you can achieve a certain set of milestones and deliverables. We're trying to use this as a way to look for the change and the culture change.”

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!