DevSecOps: putting security first in your organization

Mar 04, 2022
  • IT

Data breaches, phising, ransomware, DDoS attacks… Cybercrime is having a field day, and all experts agree that things are likely to get worse. Luckily, cybersecurity is starting to catch up as well – not just in the form of sophisticated tools, but also as part of an organizational development framework. Take ‘DevSecOps’, for example.  

DevSecOps stands for ‘development, security and operations’, and its core idea is pretty simple: guaranteeing application security from the earliest stages of the development lifecycle, and making it a shared responsibility for all involved. Making this possible requires high levels of automation, as well as a significant mental shift for most teams.

A ‘shift left’ for security

As you may have guessed, DevSecOps basically adds a ‘security’ dimension to the widely known DevOps framework. They also have the same basic goals: to transcend traditional silos and facilitate collaboration, shorten time-to-delivery, and enable the continuous delivery of high-quality software. 

Joachim Dheedene, DevSecOps lead at delaware explains: “In the past, development, operations and security teams all worked separately and in succession on software. As a result, security issues were discovered very late in the process, if at all. Not only could these halt the entire process, they often required months of rework from the development team, causing considerable delays. Now that development cycles take only weeks or days, this siloed approach is simply not scaleable anymore. With DevSecOps, the security team is involved right from the start, in what is known as a ‘shift left’.”

embed security into the development process with DevSecOps

Automation: the cornerstone of DevSecOps

In practice, DevSecOps wouldn’t be possible without high levels of automation. “When you involve security every step of the way, you have to validate and test all the time,” Joachim explains. “Automation makes the whole process manageable. At the same time, it protects us against complacency. As humans and experienced developers, we often think we can predict the results of every action we take, causing us to overlook certain things. But security issues are always unexpected. By automating security testing and validation, we are ‘outsourcing’ the discipline it would take to be constantly vigilant.”

Setting up security automation doesn’t require a complete overhaul either. “It’s best to start small, and raise the bar bit by bit. After all, there is no use in creating an overwhelming list of security alerts no one will pay attention to after a while. You have to keep it manageable and actionable. Remember: it’s always safer to do something rather than nothing. Luckily, tools like GitHub drastically lower the threshold for organizations to start automating processes.”

Pulling the chord

In the end, however, the success of DevSecOps still depends on the people implementing it. And just as with DevOps, adhering to its principles requires a certain mental shift. Joachim: “Quality and security really need to become everyone’s problem. This also means that, when an issue is detected in the middle of a development sprint, you need to be able to stop what you’re doing immediately. Most teams are not used to doing that.” 

“Just like Toyota’s Andon cord, which allowed every employee in the plant to stop production at any time, DevSecOps is a great way to improve both quality and speed of delivery. That may sound counterintuitive, but you have to keep in mind that every stop offers an immediate opportunity for improvement, instead of letting an issue move further down the line where it will become a lot more costly to solve.”

Continuous improvement

In a time where systems become increasingly complex, expectations and requirements for applications are sky-high, and we’re witnessing an unprecedented uptake in security risks, DevSecOps offers the ideal framework to take action fast while also improving quality. “Thanks to the emergence of tools like GitHub, the automation part of DevSecOps is fairly easy to solve,” Joachim continues. “It’s the people part that is the most challenging. That’s why it’s important to have an advocate for DevSecOps within your organization. In this way, you can make security a part of your continuous improvement journey.” 

Want to up your organization’s security as well as quality and speed of delivery with a robust, agile framework? In just a few days, our experts can get you on the right track – coaching included. Let’s talk.