IDG Contributor Network: DevSecOps: Paradigm shifts are messy, but someone's got to take the lead


A perfect storm of factors brewing in the dev, ops, and security worlds have created a window of opportunity to embed security into the application delivery lifecycle, in a needle-moving kind of way. However, security teams need to be the ones driving the DevSecOps charge or that needle will barely wobble.  

Given how many security practitioners spend their days putting out fires, adding “DevSecOps evangelist” to their job description is more likely to elicit groans than spur the desire to innovate application security. As understandable as that may be, unless security teams can create the groundswell needed for DevSecOps to stick, then another paradigm shift in computing will occur in which security gets left behind.

Paradigm shift? Gag me with a buzzword spoon

As annoying of a buzzword as “paradigm shift” is, it is an accurate description for what’s been happening in the application development world as it moves from a waterfall to an agile development model. Given how rarely radical process reengineering occurs in enterprise environments, it should come as no surprise that its ripple effect has been massive. It’s also worth noting that as fast-occurring as this shift might feel, given , it’s been more than 15 years in the making but hit a tipping point when cloud-based software delivery models became enterprise-ready.

The move to Agile development was a process shift that gave rise to DevOps, an accompanying culture shift. As DevOps teams became more and more ingrained into enterprise culture, they started to build Continuous Integration/Continuous Delivery (CI/CD) pipelines as a way to automate process flows in order to speed up software delivery.

That said, at the end of the day, whenever a major security fail occurs, regardless of whoever else might be to blame, it’s the security person’s job that’s on the line.

Ironically, some security experts believe that the biggest roadblocks to DevSecOps are security folks who “.” While that’s just one perspective, it’s one I’ve seen more than once over the course of my career as a developer. As someone who’s spent years with one foot in the App Dev world and the other in Security, I am acutely aware of how beneficial it would be to forge some much needed common ground between dev, ops, and security.

For security professionals with an eye towards the future, a successful DevSecOps initiative can be a career maker, enhancing the credibility and profile of the security organization, which can then be used to justify further investment in security. The actual work involved in breaking down corporate silos and getting people to partner that historically have been unreceptive to working together is often frustrating and thankless, but at least with DevSecOps, the end result will be a major step forward for enterprise cyber security.

Time to get busy.

This article is published as part of the IDG Contributor Network.