DevOps and DevSecOps

The pandemic has been one of the major reasons that ignited various transformation programs on digitalization, automation, agility, resiliency and cybersecurity; across many IT organizations. These transformation programs get successful when they upscale and transition to new working methods that enable teams to deliver quality products at lighting speeds. All this is made possible by educating teams and adopting new technologies, fostering the culture of collaboration between siloed teams and embedding security practices in the pipelines. Yes, security .. it is not a new bee; but there are many new terms that are getting popular, like – “shift left security”, “DevSecOps”. Security engineers are in demand and the security teams are expected to transition to new agile ways of working – switching to methods wherein they need to closely work with product teams.

BUT…. is DevSecOps replacing DevOps? Or is it an extension??

“DevOps” is all about bridging the development and operations teams to work as “One Team – a team that builds products as well as runs them too”. These new teams known as product teams or squads work closely with each other; right from ideation through value delivery and then continuously keep improving. The key teams involved to work as one entity– are the “development” and the “operations” teams. But, these are not just the only two teams required to build and run the product; there are other teams also who play an important role like the “security” team. In the traditional operating model, where the security teams were just called on need basis or called in only when things go wrong; now they are needed all the time. Security checks are not only required before an application deployment, but it is needed at every stage of the product lifecycle now…. this is how “Dev-Sec-Ops” is evolving. It is not replacing DevOps, but is adding more value to the product delivery and is the next step in the evolution.

So, what is needed to enable this evolution from DevOps to DevSecOps? In the new world, with agile working methods; security engineers are becoming an integral part of the product team right from the inception. They help teams to actively define secure architecture, manage policies, secrets, certificates, protocols, etc. After all, the basic mantra of DevOps is to “continuously improve” and to set the vision the following key milestones help to achieve the same-

1. Embrace DevSecOps : Embed security experts in the product team; include them in all the agile meetings and foster a culture of trust and accountability. On the other side, educate developers and testers in the team to incorporate security principles, they should understand the benefits and continuously evolve on the new processes.
2. Embed security practices in the pipeline : Introduce security gates across all product phases, like threat modelling to review application architecture, static and dynamic testing (SAST and DAST) during application build and testing, penetration testing during deployment, etc. Each of these security practices helps teams to achieve agility and drive the “shift-left” approach.
3. Look out for feedback : As teams emerge with the new working methods, hear out on what the teams have to say about the new change. The vision to work as one team should be everyone’s target. Provide all the necessary support that the teams need, like training them on developing and deploying secure code, developing a community of practice to continuously measure and track the progress. Conduct regular feedback sessions with the teams and encourage them to call out areas that need attention.

The transition to DevSecOps is an evolving journey which demands for a revised team structure, embedding new roles in the team, introducing security gates at every stage of the lifecycle and continuously monitoring the progress through team and project level metrics.

With that said, have you started transitioning on DevSecOps journey? Are there learnings you would like to share??