Perhaps your organization is already experimenting with DevOps tools or considering how to move towards DevOps. Maybe you're still relying on ad hoc processes. Then suddenly your C-suite or auditors raise the need to standardize on a secure and agile development process. Enter DevSecOps.
To mitigate the challenges that come with DevSecOps adoption, you'll need to make it a team effort. Here's what you need to do.
It's vital to start with a small proof-of-concept project, apply your lessons learned, and then build upon your successes. Choosing a small project is best done by involving a business stakeholder open to moving one of their smaller projects to a DevSecOps development model. Application migration to the cloud is an opportune time to conduct such a proof-of-concept project.
Foster DevSecOps advocates across your organization
Just like DevOps, moving to DevSecOps is ultimately about people and culture.
A move to DevSecOps requires that you build internal DevSecOps advocates to spread the good word. Here are some everyday advocates and champions you should consider:
- An individual contributor and early adopter angling to build more secure applications: Think of the person to whom the other developers go with their questions.
- A business stakeholder who will benefit either by increasing security or by boosting sales with the move to DevSecOps: Think about the salesperson or business developer who can better serve their customers if your company can securely deliver additional features and versions. A government agency manager (with budget control) whose division is migrating their legacy applications to the cloud to meet FedRAMP compliance could be another potential advocate.
- Development team project leads who manage teams that deliver code but get stuck in endless rounds of security updates to mitigate security issues that made it into production: DevSecOps offers them automation and frameworks that can take some work off their team's shoulders, so they can give their attention to more strategic tasks.
Implement automation incrementally with team support
Automating security checks sounds appealing to some executives and financial staff; they hear "automation" and think "saving dollars by cutting the staffing headcount." This perspective is counterproductive for garnering support from developers.
As you move from DevOps to DevSecOps, there is a delicate balance between automation and security. Analyze what automation tools are already in place in your DevOps toolchain and determine if they support security integration. You can then build out your automation strategy from there. Collaborate with your teams who will benefit from automation at each step of the implementation. You want to communicate a way forward for your teams and quell any work-from-home anxiety about losing their jobs because of DevSecOps.
Prevent developer overload
You run the risk of creating developer overload when you add security responsibilities to their existing workload. After all, we're just entering an era where developer-friendly application security tools are entering the market.
Too many of today's application security tools are designed for security teams and often require hours to days until the security team delivers their findings to the development team for remediation. It's up to your leadership to put the tools, training, and frameworks in place that help prevent developer overload.
One last thing
Getting on the fast track to DevSecOps means taking care of your people and being proactive when they worry about automation. Teams benefit most from the DevOps to DevSecOps transformation when they play active roles in making the transformation happen.