Posted by Haidee LeClair on June 7, 2018
As we rapidly move toward DevSecOps, it’s worthwhile to take a breath and orient ourselves. Development and operations teams have already come a long way by aligning around the shared goal of delivering stable, high-quality software—quickly. By automating manual processes and building tools into the continuous integration and continuous delivery (CI/CD) pipeline, they’ve increased trust between groups, which is essential as these once-disparate teams tackle critical issues together.
It’s easy to think the Three Ways referred to when talking about DevOps principles are three different methods of applying DevOps in your organization, but each Way contributes to the entire concept of DevOps, including prescriptive steps to help teams implement it in their organization.
This essential foundation leads naturally to DevSecOps. Incorporating DevOps principles earlier in the software development life cycle (SDLC) creates shorter feedback loops and decreases complexity, which allows engineers to detect and fix security and compliance issues faster and more easily.
“One of the top objections to implementing DevOps principles and patterns has been, ‘Information security and compliance won’t let us.’ And yet, DevOps may be one of the best ways to better integrate information security into the daily work of everyone in the technology value stream.”
Embracing a DevSecOps practice requires key cultural and practical changes to integrate security into all stages of the SDLC, including the following:
So there are just five essentials for successful DevSecOps? I know what you’re thinking—that’s easier said than done. How do you achieve each change in your organization?
Finding the right tools for your environment is an important step—you need tools that fit into your CI/CD workflows and run automatically. Not only that, but you need these tools to notify the right people when there’s an issue, educate them about it, and provide guidance on how to remediate it. And you can’t do that just once—you must test early in the development life cycle (often referred to as “shifting left”), during integration and testing, and on through installation, deployment, and maintenance. There’s no way to ensure the ongoing security of an application after it’s in production; you must continue to test in production and remediate any new security issues.
“While adoption of DevOps methodology and CI/CD technology is significant, not all teams within enterprise organizations are necessarily doing any of it. Of our survey respondents, 36% reported developer/administrator teams were focused on continuous integration. Another 35% of respondents stated teams focused on continuous delivery, and 35% also reported a DevOps focus, although DevOps was ranked lowest in most industries, including traditional retail, SaaS and healthcare.”
Security tools and automation alone can’t secure your applications. Invest in your teams and empower them to build a true DevSecOps culture by making software security training a priority and ensuring that the training is relevant to your employees’ roles and projects. Perhaps most important—remember that DevOps isn’t a title change. It’s a true change to the culture at your company. It takes time, training, tools, and the desire to embrace the culture of DevOps. Integrating security into the daily work of your DevOps teams may be time-consuming, but it’s time well spent. Your development, operations, and security teams will work together collaboratively to improve the quality and security of the software you deliver, leading to faster software delivery and, ultimately, happier customers.
Get the latest Software Integrity news, thought leadership, and more.