DevSecOps Executive Insights

To understand the current and future state of DevSecOps, I gathered insights from 29 IT professionals in 27 companies. Here’s who shared their thoughts:

• Anne Baker, V.P. of Product Management & Marketing, Adaptiva
• Steven Aiello, Solutions Principal, AHEAD
• Gadi Naor, Co-founder & CTO, Alcide
• Mike Stahnke, VP of Platform, CircleCI
• Brian Nash, Director of Product Marketing, and Brian Dawson, DevOps Evangelist, CloudBees
• Michael Rose, Vice President of Engineering, Cybera
• Doug Dooley, COO, Data Theorem
• OJ Ngo, CTO & Co-Founder, DH2i
• Kris Lahiri, Co-founder, Egnyte
• Brian Platz, Co-founder & Co-chairman, Fluree
• Javed Shah, Director of Product Management for Cloud and DevOps, ForgeRock
• Malcolm Isaacs, Senior Solutions Manager, Application Delivery Management, Micro Focus
• Gary Duan, CTO,NeuVector
• Yogesh Badwe, Director of Information Security, Okta
• Franklin Mosley, Senior Application Security Engineer/Evangelist, PagerDuty
• David Strauss, CTO & Co-founder, Pantheon
• Jeff Keyes, CMO, Plutora
• Vishnu Nallani, VP & Head of Innovation, Qentelli
• Sheng Liang, Co-founder & CEO, and Shannon Williams, Co-founder & VP Sales & Marketing, Rancher Labs
• Gene Yoo, CEO, Resecurity
• Altaz Valani, Research Director, SecurityCompass
• Jim Hansen, V.P. Products, SolarWinds
• Colby Dyess, Director of Cloud Marketing, Tufin
• Tim Hinrichs, CTO & Co-founder, Styra
• Joseph Feiman, CSO, WhiteHat Security
• Andrei Bezdedeanu, VP of Engineering, ZeroNorth
• Tim Reilly, COO & CFO, Zettaset

You may also enjoy:  Attributes of a Positive DevSecOps Culture

Here’s what they told me:

• The most important elements of a successful DevSecOps implementation are automation, shifting left, and collaboration. Eliminate as many manual steps as possible so security becomes a first-class citizen of DevOps workflows. The goal is to embed security early-on into every phase of the development and deployment lifecycle. By designing a strategy with automation in mind, security is no longer an afterthought. This ensures security is ingrained at the speed and agility of DevOps without closing business outcomes.

Shift security left in the engineering lifecycle. Security should be imbibed as a design mentality instead of being an afterthought. If you don’t make DevSecOps part of the lifecycle from the planning, design, code, and rollout perspective, you will miss opportunities to expose vulnerabilities that could expose the business to risk.

A successful DevSecOps implementation starts with a strong alignment between development and security teams. Engage the security side throughout the value stream. Have more collaboration with shared goals around security. While each team has its own unique needs and constraints, collaborating enables the groups to leverage their respective strengths to work around constraints and achieve business goals.

• The attributes of a successful DevSecOps culture are how security becomes ingrained throughout the organization, greater collaboration, and the use of metrics to determine progress. Everyone becomes concerned about security and sees security as their own responsibility and not someone else’s problem. There should be proactive security across every team. InfoSec is embedded with data security and good processes for the architect and development team to develop good code. 

• There is a focus on partnership rather than blame. Everyone from executives to project teams are on the same page regarding the importance of security. There is a trust and shared responsibility of security outcomes with a culture of visibility and transparency so everyone involved can learn what works and what doesn’t.

• There are clear security-driven metrics. Security is measured at each stage of the engineering lifecycle. The culture is governed by shared security KPIs and by bringing in the right people.

DevSecOps solves problems around velocity, risk, security consciousness, and software quality. Embracing DevSecOps maintains innovation velocity that translates to business goals without skimping on security. It helps ensure that security is integrated into the fast-moving environment. With security integrated into developer workflows, there are faster, more secure releases without stifling developer innovation. It accelerates bringing secure applications to market, while significantly reducing the time to respond to increasing threats.

Risk is reduced by designing with security baked in from the beginning. Databases with security baked in are inherently less risky. Vulnerabilities will be detected earlier, making them easier to fix, and reducing the chance of the vulnerability escaping into production and exposing the organization and its clients to risk.

Developers become more security conscious and this results in better software. DevSecOps ensures security is a norm and not an afterthought. Security becomes part of the ongoing engineering process and results in better software that’s easy to operate and provides a better user and customer experience (CX).

1. Compliance is one of the more frequent use cases for DevSecOps. DevSecOps helps comply with security standards and auditing systems – anywhere an audit trail is needed for information. It makes it easier to meet the standards for security assessments, system authorization, and implementation of cloud services for departments across the federal government. Customers are applying security/operational/compliance policies to the Kubernetes desired-state model.
2. The most common DevSecOps fails are related to culture, collaboration, and adoption/change. Changing the culture and mindset is not easy. The executive team needs to create a built-in security culture realizing that lack of security is a predictor of business failure. The security team must move past being the department of “no” by embracing DevOps, adding value without adding friction. Lack of collaboration is one of the biggest impediments to DevSecOps. There are cultural and organizational barriers to collaboration between security, development, and operations that must be overcome to build a continuous security mindset. Finger-pointing and a lack of enthusiasm for common goals of the team are generally early warning signs that the DevSecOps initiative is not going well. There needs to be a mindset change throughout the organization. If not, policies around security are instituted but are viewed as a burden. If the policies are not part of the core way the operation runs, people will take shortcuts. Be open to new ways of doing things. Institutionalize security as part of the process.
3. Concerns around the current state of DevSecOps are the culture and the term itself. There is little discussion about collaboration, shared ownership, KPIs for governance, and the cultural change necessary for successful DevSecOps. More discussion will lead to more mutual understanding, collaboration, and change. The fact there’s a name for DevOps plus security shows that security is still an outsider to DevOps. We need to reach a point where developers truly accept that security can’t be separated from their work, and where security professionals accept that they have to be part of the solution. A failure of leadership is often the root cause of the issue. Many organizations still have not embedded security throughout their deployment pipelines. The space is still very immature with a small percentage of teams having implemented DevSecOps. Automated security is only being done by a select group (5%) of advanced companies.
4. The future of DevSecOps is greater adoption, security being integrated into the enterprise and the culture, and AI/ML being used to automate and improve the security posture of the enterprise. We’ll see DevOps shift to become DevSecOps. Business leaders will come to view DevSecOps as a fundamental requirement to operate in the digital world. Successful implementations will detect and address security threats at greater speed and with less human intervention. Security will become an implicit element in DevOps. Security will gain more influence as it is integrated with product teams. Metrics will drive effectiveness and efficiency. Security and compliance controls will be embedded earlier in the DevOps lifecycle. Security will create less friction and serve as a catalyst for innovation in existing security tools. Automation will be key to success. AI-driven applications with machine learning to improve DevOps. AI/ML will indicate where to focus time on vulnerability management. AI-based solutions will predict an identify patterns to unearth security vulnerabilities before they are found by hackers.
5. With regards to DevSecOps, developers need to consider their productivity, the OWASP Top 10, education, processes, and best practices. An established DevSecOps methodology and culture means less work for developers. A DevOps team working with security spend 50% less time going back to remediate security issues. Developers trained I cybersecurity are rare, and therefore more valuable. Incorporating security throughout development and deployment is less disruptive and yields better results than ignoring security until the end. Start with OWASP to lean security best practices. Understand how your code can be vulnerable. Learn how to defend against attackers. Check out e-learning resources and read. Secure coding is not taught in any university. If developers really care, they need to take it upon themselves to learn how to code securely. It may be uncompensated time to understand SQL injection, code injection, and the OWASP Top 10, but it will save a lot of time and make you more money over the course of your career. Follow a process and embrace it. Take security seriously for your own development as a professional. Keeping a good mind about security goes hand-in-hand with other development best practices. Learn the best practices, get metrics, improve, get the playbook for how other teams are developing secure code. Developers should play a role in ensuring their enterprise’s security solution adapts to changes in the application it protects.

Further Reading

Continuous Security Using OWASP

Top 5 Challenges of DevSecOps and How to Overcome Them