What is DevSecOps and How to Transform Your Agile / DevOps Team?

These days, everyone is talking about DevSecOps, and you might be wondering what that’s all about.

How We Evolved to DevSecOps

Security was not really a part of software development until the early 2000s when Microsoft started the Trustworthy Computing Initiative. They came up with a concept of security DLC where you integrate different security practices throughout the different stages and software development lifecycle.

At that time, everybody built software following the waterfall methodology. As the processes evolved into Agile or DevOps, security practices evolved with them as well.

Today, we’re in the stage where we have something called DevSecOps, or SecDevOps, as it is referred to by others.

What is DevSecOps?

What does it all mean? Is DevSecOps a person? Is it putting tools in your system? Or, is it a bunch of processes? Well, it’s actually all of those things.

DevSecOps is not just about anyone of those things, it’s a combination of the people, the processes, and the technology that you incorporate into your development and operational practices. It is about a culture and adopting a shift in how things are done by the team.

It’s really important to note that it’s not about hiring a dedicated application security professional and planting that into your existing DevOps teams. That is not what DevSecOps is about.

It’s about enabling your existing team. It’s about training your developers. It’s about putting automated tools and processes within that existing team to address the low-hanging fruit, which is about 80% of most application developments teams problems.

The question is – what about the rest of them? What about the other 20% of security problems?

What About the Other 20% of the Security Problems?

For the other 20% of security problems, domain experts are required. In larger organizations, a central shared Application or Cloud security team would be present to support the security champions on the ground in each team. In medium-size or smaller organizations where that is not an option, a 3rd party services provider can be used to provide the required support and domain expertise.

At Forward Security, that is one of the core services that we provide. We partner with our clients to build secure applications together.