You can’t buy DevSecOps—the practice of putting security practices into your DevOps methodology—but there’s marketing noise that may make you think that you can buy your way into DevSecOps. When you’re moving your enterprise teams to a DevSecOps model, you need to see it as more than just a technology stack. Here’s why.
Security Becomes Part of Development Culture
Application security for many enterprises meant doing the security work at the end of a waterfall development cycle. The security and development teams were often strangers or even natural enemies in the wild.
DevSecOps brings together the development, security, and operations teams during each phase of an agile development life cycle. Done correctly, it means that DevSecOps can make security and the security team part of the development culture, not a last sign-off before a feature goes live or a new product launch.
Becoming a development culture that prizes security isn’t going to happen overnight. You must collaborate with your line managers and senior staff to drive this cultural change as you journey toward DevSecOps.
DevSecOps Creates a Culture of Transparency
When developers, operations, security, and product management work in their own silos, it can be detrimental to product development. Pulling your teams together in a DevSecOps model is a path to greater transparency through data, analytics, and reporting. Better yet, the transparency comes from actual project data published on a centralized dashboard that can be the one source of truth for authorized team members and stakeholders.
Having these data available isn’t about just having a DevSecOps tech stack. It’s about putting processes and frameworks around the communications and retention of these data so that your developers, security, operations, and the business at large (product managers, business developers, executives) can use this actionable intelligence to maximum effect.
Increased transparency in the hands of the right managers and project leads can become a powerful diplomatic tool and even an equalizer among management peers. Data about project successes and issues come out in business terms, not in terms of a Microsoft PowerPoint slide show dripping in management speak.
Shared Goals and KPIs Become Possible
The next step after further transparency is your development, security, and operations teams developing shared goals and key performance indicators (KPIs) to judge the success of cross-functional efforts along your continuous integration/continuous development toolchain.
Using the actionable data that DevSecOps provides, all levels of management have facts on which to base business, technology, and security decisions. Such data can be a great equalizer (in the right hands) when politics or “he who talks the loudest” dominates corporate goal setting.
Security Education for Developers Becomes a Reality
It’s easy to say that you want to provide security education for your development teams. Unfortunately, security education for developers gets lost in conflicting priorities and budgets. Yet, a move to DevSecOps makes security education for developers a necessary gate because security becomes part of every developer’s workflow and no longer the last stop before the software goes gold.
Developing a security education program for your developers can take many forms and paths. First and foremost, you’re going to want to develop your chief technology, information, and security operations officers and even your auditors in the initiative. Your security and development teams should also be active participants in training development, offering feedback, experience, and insights into the training. Using outside contractors to develop and deliver the security training can be tempting, but assigning this work to internal staff is a sign of confidence and investment in the effort to your developers. You’re also going to want to have the resources in house to iterate on your security training as your teams learn more and technology stacks change.
Final Thoughts
DevOps and now DevSecOps provide the tools for a much-needed cultural change inside many of today’s enterprises. Success with DevSecOps comes from being able to separate the technology stack from the data you can derive and channel into business and technology decisions.