These days, everyone is talking about DevSecOps, and you might be wondering what it’s all about.
How we evolved to DevSecOps
Security was not really a part of software development until the early 2000s when Microsoft started the Trustworthy Computing Initiative. They came up with a concept of security DLC where you integrate different security practices throughout the different stages and software development lifecycle.
At that time, everybody built software following the waterfall methodology. As the processes evolved into Agile or DevOps, security practices evolved with them as well.
Today, we’re in the stage where we have something called DevSecOps, or SecDevOps, as it is referred to by others.
What is DevSecOps?
Is DevSecOps a person? Is it putting tools in your system? Or, is it a bunch of processes?
It’s actually all of those things.
DevSecOps is not just about anyone of those things, it’s a combination of the people, the processes, and the technology that you incorporate into your development and operational practices. It is about a culture and adopting a shift in how things are done by the team.
It’s really important to note that it’s not about hiring a dedicated application security professional and planting that into your existing DevOps teams.
It’s about enabling your team by training your developers. It’s about putting automated tools and processes within that existing team to address the low-hanging fruit, which is about 80% of most application developments teams problems.
What about the other 20% of security problems?
For the other 20% of security problems, domain experts are required. In larger organizations, a central shared application or cloud security team would be present to support the security champions on the ground in each team.
In medium-size or smaller organizations where that is not an option, a third-party services provider such as Forward Security can be used to provide the required support and domain expertise.
At Forward Security, that is one of the core services. We partner with our clients to build secure applications together.