Shifting to DevSecOps Is as Much About Culture as Technology and Methodology
This move to container-based development and agile methodologies has been great for innovation and iteration, but it’s also brought a massive shift in the application landscape with real impact on security teams.
In just the past year or two, DevOps has become much more mature. Today we need to understand risks and implement controls not just for 10 or 20 apps—it’s often hundreds if not thousands.
And while there are many cloud-native companies built for this new world whose entire application ecosystems are born in the cloud, the majority of companies are at different stages. Some may still be doing much less frequent releases, whether that be annual, quarterly or monthly. Some are still trying to manage their transition from waterfall-style development to modern application development with agile practices. Older, larger companies in particular may have a wide-ranging mixture of legacy on-prem and new, cloud-based apps.
The complexity can be daunting even for the largest security orgs. You’re not updating once a year, but potentially daily. Each individual app is going to have its own automated development pipeline, which is going to have its own builds, its own releases and multiple different agile teams.
As more companies go through this cycle of shifting left, it’s only natural to see the business get ahead of security. And as everyone goes through this transition, we’re going to see more exposure as a result of that gap, with the business developing apps at a rate that the security organization is still trying to match.
The further left an organization has shifted, the more rapid its development, the more adaptable the security team has to be—and the only way to get there is through a true DevSecOps model where security is an intrinsic part of development in a frictionless way.
With DevSecOps, security orgs can meet the same standards that they’re accustomed to, while also meeting developers where they are, without completely halting the entire process to implement policy. The security team can continuously work in their own workflow and create policies that meet the business’ needs, and the DevOps team can move at the rapid speed of their business requirements.
While it’s tempting to see this as just another “digital transformation,” it’s also not. Yes, there are new technologies digitizing traditional business processes and customer interactions. But beyond the technology itself, security teams must also change the way they work, adopting agile security practices that reflect the way modern dev teams operate.
And to change the way they work, they also have to change the way they think. Companies tend to overlook the cultural transformation that’s necessary. But without that cultural shift, it doesn’t really matter how agile development works or even what the digital transformation is.
For security pros, that cultural transformation involves a lot of letting go. You’re not the big policy czar in the sky anymore. In this new world, you have to be able to infuse your understanding of risk and do it at the speed of the business: rapid development, shorter release cycles, staying in the thick of things through collaboration tools like Slack and Microsoft Teams. And that is a massive change in the way many security pros think about their jobs.
The only way to solve the challenges presented by agile development is by making security a fundamental part of the entire process. It can’t be an afterthought. Otherwise it adds friction, and the dev team continues moving at business speed no matter what. The security team has to be able to adapt to that frictionless environment where tests are conducted as part of the builds and security choices and the decision to release are part of the process, not separate functions.
A true DevSecOps environment involves breaking down barriers and creating a cross functional team focused on one objective. The key is to understand that DevOps is now a way of life, while SecOps is our old way of living. Those personas have to merge into a true DevSecOps model that functions as one.
What was previously more of a theory for most companies is real today. And the conversation about DevSecOps is just starting.
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.
Tags: 
