Do You View Your AppSec Tools as an Inhibitor to Innovation or a Safety Measure?

devops is all about making better software faster. it also requires making it more safely while compressing the time between ideation to realization. i hear it organizations tell me time and time again of their ambitions to be the innovation powerhouse for their business - so it’s great news that most of the survey respondents (more than 80% in fact) didn’t see their appsec tools as an inhibitor to innovation but rather a safety measure.

if you’ve read the phoenix project you’ll probably remember the portrayal of john, the ciso. he started the book as an outsider, on a completely different wavelength to other characters. but john was also pivotal to bill’s realization that he needed to amplify the feedback loops between it and the business and get much closer to his organization’s ‘why.’ security has often been a bit of an afterthought in the devops world for many organizations, but i hark you back to the “more safely” part of my first sentence.

i recently had a conversation with magnus hedemark on linkedin where he pointed out that devops breaks the iron triangle of cost, speed, and quality; traditionally there’s always been a trade off where you could only be great at two. for example, you could have speed and quality but only at a very high cost.

in addition to enabling all three attributes of the iron triangle, devops gives us a bonus 4th portion of delight: happy people. thus the “ beal-hedemark golden square of devops ” was born. devops allows us to deliver at low cost, at high speed, and with high quality along with this extra dose of happiness (have you heard of humanops or hugops ?).

devops-native appsec tools integrate early into your software development lifecycles allowing your software engineers to make informed choices about the composition of your applications. devops-native tools also help avoid costly future situations and support the golden square. shifting security left in this way:

• saves us money and time down the line by mitigating risk (cost).
• reduces the need for expensive and time-consuming penetration and vulnerability testing, avoiding any nasty surprises from security incidents and commercial licensing point of views (speed).
• automates quality into your toolchain by integrating these tests into your ci/cd pipelines (quality).
• empowers your developers by warning them of the risks as they add artifacts into their applications and giving them the opportunity to make an informed choice about what would be a better option (happiness).

building the right appsec tools seamlessly into the devops loop -- your continuous release cycle -- means your it delivery value stream operates faster, cheaper, and at a high quality. your software engineers are happy because they are producing high-quality code, your security teams are happy as they know their policies are being followed and they can see it. and most importantly, your customers are happy because they are getting what they need and everyone is safe.

devops-native appsec tools help drive innovation - they provide light a “ belt and braces ” touch (if that’s not too oxymoronic) that allows for the evolution of a safety culture.

want to learn more about devsecops?

this blog is one of seven in a series providing expert commentary and analysis on the results from sonatype’s 2017 devsecops community survey. for access to all of the blogs in this series and the survey report, please visit: www.sonatype.com/2017survey .