DevSecOps: Fitting Security Teams Into the World of DevOps

There are so many terms floating around IT worlds today. Just as you start to figure out DevOps, DevSecOps or Secure DevOps jumps onto your radar. It’s certainly not a new term by today’s standard of “new,” but it doesn’t have the same notoriety that DevOps has.

DevSecOps is as simple as it sounds, it is the conscious integration of security into the DevOps process. With the news about Meltdown and Spectre, having the most efficient security processes is critical. The mindset of both DevOps and DevSecOps is essentially the same, increase collaboration and efficiency. One question you might be asking is, what is the benefit of DevSecOps versus DevOps alone?

[Start your transition to DevOps with Solution Review’s Buyer’s Guide for Cloud Platforms]

Will integrating security slow down DevOps?

A core tenant of DevOps is to speed up the development pipeline to keep up with a more demanding marketplace. Adding security measures to this process might make one think that the process will be slowed back down. However, when security testing is integrated into the development process, developers will be able to find issues faster. Thus, there will be more confidence in releasing a product. Development teams won’t have to scramble to make changes when the security team finds problems after a release is live.

It’s better to be proactive with any software release. Considering how promising DevOps is in regards to pace of releases, it doesn’t make sense to leave security teams out of the loop. Allowing security teams to help with the entire development pipeline will potentially save time later in the process.

More Collaboration

IT culture is undergoing a rapid cultural change in the way that it operates. DevOps preaches integration and breaking down IT silos, and it has been relevant to success in many modern businesses. However, security teams are often left out of this integration.

Sometimes, the security team is coming in after the code is live and things are already out of control. For example, a development team might need to do some image processing from a library, but the library they chose is vulnerable. It would be much easier for the development and operations teams to work with the security team to catch issues like this as earlier in the pipeline. Collaboration is far more efficient than pointing fingers. Collaborating with security teams will allow both sides to have more empathy for each other’s responsibilities. Secure code is something all teams are striving for, integrating security to DevOps is the natural next step to creating optimal software.

Cross-Training

Understanding the specifics of what your colleagues are looking for makes the entire software release process easier. DevOps is about trust and cooperation, training can further bring teams together. It doesn’t make sense to bolt on security measures after a product is released or right before it’s released, having knowledge about what security teams will be looking for makes the entire process easier for everyone.

Another way that this can be accomplished is by following a method that software developer Puppet has integrated. They have a three-day internal convention that has subject matter experts across the IT fields. Employees hear from operations, security, and development team members to see exactly what they’re looking for. This kind of creativity is an excellent way to learn the nuances each team is focusing on. Training along with open dialogue allows each team to know exactly what to expect, and how to help.

Tyler W Stearns

Tyler W Stearns

Editor, DevOps & Network Monitoring at Solutions Review
Tyler is an enterprise technology writer and analyst covering DevOps and Network Monitoring at Solutions Review. He obtained a Bachelor of Arts Degree in English from the University of Massachusetts, Boston. You can reach him at tstearns@solutionsreview.com
Tyler W Stearns

Leave a Reply

Your email address will not be published. Required fields are marked *