Johannesburg, 31 Mar 2022
DevSecOps, the mere mention is enough to give developers, QA managers and security teams a shiver down their spine.
And who can blame them. Most developers, QA managers and security team members agree on the importance of security within the DevOps practices, but disagree on the implementation.
To understand it better, let’s remove the 'Sec' and look at just the DevOps. DevOps is a set of principles, practices and processes that are designed to streamline the development process through the effective use of communication, integration and automation. Meaning that its priority is to build software in a continuous and rapid way.
So, if we want to successfully add the 'Sec' into DevSecOps, it will need to adhere to the primary principles of DevOps while still providing the security required to deliver secure software development, some things that a few years ago would have been almost impossible. But thankfully, due to the vast improvements made within processes, technology and organisations' culture, it is now possible to add the 'Sec' without breaking the DevOps. The question now is, how do you do it?
Especially when many organisations make use of different agile software development methodologies, like Scrum and CI/CD, that are used alongside their DevOps practices, where do you begin?
“To know thyself is the beginning of wisdom.” – Socrates
The first step is to gain an understanding of your current software development practices. This can be done using an assessment, like our DevOps Assurance Maturity Assessment, which would provide a structured way of collecting the information you need to build a good baseline from where to start.
The next step now is to determine what is needed to improve your security posture. This can be done using a technology and process agnostic model, like our DevOps Assurance Maturity Model. The model provides a prescriptive roadmap and building blocks that will make it easier to uncover your security shortfalls, fill in the gaps and measure the security-related activities.
The same model can be used to formulate a deployment plan using a prescriptive roadmap that maps out the recommended security principles, practices and associated tools that are needed at the different stages of your DevOps pipelines. The model will also allow you to implement the security principles, practices and tools in iterations that can be continually improved on as your DevSecOps programme matures.
All that is left now is to put the deployment plan into action and to roll-out the security principles, practices and tools. It's important to note that this should not be seen as a security team-owned exercise, but a joint initiative involving all stakeholders in the software development life cycle.
In summary, there is no one size fits all for DevSecOps, but with the right partner, models and methodologies, the journey could be that much easier.
Share