When people think of DevSecOps the first thing that comes to mind is automation. A strong DevSecOps environment should employ tools that automate the following: Continuous Integration, Continuous Delivery, Continuous Testing, Continuous Deployment, and Continuous Monitoring.
While automation is certainly important, it’s just as important (if not more important) to build the mindset that “everyone is responsible for security” with the goal of safely distributing security decisions (to those with the highest level of context) without sacrificing the quality, performance, privacy, and safety required by the system. This type of model typically relies on “shifting security left” or engaging security earlier in the software development and operations processes.
Changing an organization’s mindset and culture doesn’t happen overnight. It requires hard work, training, coaching, and patience across the entire organization. While there is no silver-bullet to changing organizational culture, a few critical components are necessary for any transformation.
- Building a Knowledgebase – Raising a developer’s security knowledge pays enormous dividends. Ongoing training and learning activities not only ensure that developers know how to be responsible for security but it ensures they continue to stay on top of cyber security best practices.
- Promoting Openness – Openness in communication promotes collaboration and continuous improvement between development and security. Transparency of information using metrics and dashboards can be an effective mechanism for communicating what’s really going on in a quantitative way. By building trust and cooperation through openness, organizations can ensure security does not become reactionary.
- Create Cybersecurity Champions – The lack of highly qualified security professionals can make the transition from DevOps to DevSecOps difficult. Savvy organizations identify individuals that understand security within traditional Dev and Ops groups and trust these individuals to coach DevSecOps teams and act as the security conscience of the team during the transition.