We'll know DevSecOps has won once it's dead
Some folks love them; some folks hate them. Sometimes it’s a little bit of both. But like them or not, they do have one important, undeniable benefit: they garner attention. Consider how often you’ve heard about “DevOps” or “serverless”. You can describe the techniques without using any of these terms, but the label provides a point of reference. It helps to frame the conversation, which is critical when the idea is still fresh and the conversation is still evolving.
The rise of DevSecOps
You can’t go to a security event nowadays and not hear at least a few speakers say the phrase “DevSecOps”. The idea behind DevSecOps is to bring security into the DevOps process. A DevSecOps approach empowers developers and allows companies to automate and integrate security throughout their workflow.
It’s a worthy goal, for sure, and one worthy of the attention its garnered. Security is the responsibility of everyone, not just some other dedicated team. Finding ways to make security part and parcel to your development process instead of a roadblock in it is critical given the high-speed nature of today’s business.
DevSecOps has turned into a rallying cry of sorts for this relatively new approach to approaching security. Judging by the number of times the phrase gets mentioned, it has been pretty impactful so far.
Ultimately, though, the real judge of DevSecOps success will be whether we eventually stop talking about it at all. Buzzwords are effective promoters in the early days of any idea, but as time goes on, the hope should be that they are no longer needed. A good buzzword should make itself obsolete.
This is particularly true of something like DevSecOps where the goal is to get people to stop viewing security as something separate, something others take care of. We don’t want it to be a special topic of conversation that needs its own label. We want it to blend in with our day to day work.
A long way to go
It’s a challenge that DevOps, for example, has yet to overcome. DevOps not only remains a frequently used term, it has somewhat ironically become a job title unto itself. Discuss DevOps with a room full of developers and you’ll almost certainly hear at least a few of them point out that “they’re not in DevOps”. It is still seen as something different and separate.
DevSecOps will have to overcome the same challenge, and we’re a long way from that happening. We’re still in that phase where DevSecOps is something that organizations are working to wrap their heads around. It’s a significant departure from a traditional security approach, and it takes time and effort to make the switch. Awareness is still growing and having a marketable label to rally around helps to organize the ever-evolving conversation.
But one day, hopefully, DevSecOps will become “the way we work” and the term will fade into history. The ideas it represents are too important for it not to.
What’s a known vulnerability?
February 06, 2018A vulnerability is a vulnerability, whether known or not. The key difference between the two is the likelihood of an attacker to be aware of this vulnerability, and thus try to exploit it.
Where do security patches come from?
January 25, 2018The best solution for known vulnerabilities is to upgrade your software. But sometimes there's not a security update immediately available. The next best solution is to patch your software. In this post, we go through four ways to find security patches for open source software.
Subscribe to The Secure Developer Podcast
A podcast about security for developers, covering tools and best practices.
Interested in web security?
Subscribe to our newsletter: