Back in 2012, in a report called “DevOpsSec: Creating the Agile Triangle,” Gartner identified the need for information security professionals to become actively involved in devops initiatives. Five years and more than 24 billion Docker image pulls later, that need is now a full-blown imperative.
As I’ve written in InfoWorld , devsecops needs to be led by the security team members because they are the ones ultimately responsible for the cyber security posture of the enterprise. Those tasked with implementing devsecops should expect a learning curve as they bond with devops teams, familiarize themselves with concepts such as continuous delivery and tools like Jenkins and Docker, and determine how to best implement devsecops into their organizations.
Devsecops leaders also need to adapt to the reality that devops is all about speed, agility, and automation, while devsecops is about updating and realigning security for today’s technologies, processes, and pace. Even the most security-friendly devops teams may perceive the inclusion of any security measures/controls as slowing the pace of application delivery.
However, if devsecops teams seize the opportunity to “left shift” security, friction between security and devops (and hopefully, the rest of IT as well) should erode, quickly. That shift is foundational to devsecops success. One key way to justify the business case for devsecops and motivate those forging the righteous path that it’s good for everyone is to measure its effectiveness.