Making a major operations transition must be a long-term and well-planned process. Because DevSecOps is an important step in the DevOps journey for your organization, you are more likely to find success if you introduce and implement your transformation in phases.
In my previous article, I explained the first three phases of making this change. This article presents three additional phases of DevSecOps transformation you must work through to achieve your goals. Finishing these phases requires that you foster team collaboration to carry your organization through security changes, going live with DevSecOps, and putting the tools in place for continuous learning and iteration of your DevSecOps toolchain and processes.
Phase 4: collaborate on security changes to your DevOps toolchains
Some security changes on the move to DevSecOps may adversely affect operations and even security compliance. Changes to tools, processes, and even staffing sometimes change the way teams work.
Your development, operations, and security teams must collaborate before deployment and at other touchpoints to set priorities. Security teams sometimes prioritize a security measure that adversely impacts operations. Likewise, your developers probably overlook some holes caused by system configurations that could compromise the security and compliance of your systems.
Predeployment reviews provide a prime collaboration channel. When you conduct predeployment reviews during your DevOps to DevSecOps transformation, you give your developers and security staff a forum through which they can educate each other on their team's priorities and informed tradeoffs.
Phase 5: execute on DevSecOps
As your organization crosses into phase 5 of your DevOps to DevSecOps transformation, it's time to execute your plans with one or more teams. Don't move to Phase 5 as an entire organization. Instead, look for natural breaks in your project teams' schedules for them to move to a DevSecOps model. For example, say that one of your DevOps teams has just launched a new product release. After catching their collective breath, they're working on bug fixes that come in from the field. Don't interrupt their flow with a full-on move to DevSecOps during an in-progress project.
Look for new project opportunities to begin executing on DevSecOps. Such an approach offers the following advantages:
- Providing teams a clean slate to learn a new process from the beginning, not midstream during a project
- Enabling you to include process and tools training as part of the project kickoff process
- Affording the chance to bring your developers, operations, and security teams together to discuss mutual expectations for the project
- Giving teams a chance to learn to work together better during the new workflows that DevSecOps brings to an organization
Phase 6: pursue continuous learning and iteration
There is no formal end to an adequately executed shift from DevOps to DevSecOps. After your organization moves to DevSecOps and adopts the principles and foundations, the learning and iteration need to continue past the transformation.
As there is no single accepted DevSecOps definition for the industry, you can expect to learn a lot as your DevSecOps journey gains momentum and your processes mature. You also need to prepare your organization for changes in DevOps and DevSecOps philosophies that might benefit your internal efforts.
The phases I outline in this series are general guidelines for a path toward achieving your DevSecOps transformation. The emphasis on collaboration is deliberate because your enterprise's particular circumstances could require that you modify these phases to achieve your transformation. Even if you need to make substantial changes to these phases, having a graduated implementation roadmap will get you much closer to success.