Devsecops

DevSecOps Culture

Download PDF

Online media and marketing are filled with terms like DevSecOps methodology, DevSecOps model, or DevSecOps techniques. However, in order to be successful, organizations must understand that DevSecOps is first and foremost a culture. DevSecOps culture focuses on uniting the normally siloed roles of Development, Security, and Operations into a collaborative shared-responsibility paradigm. It seeks to break down barriers of finger pointing and deflection. Instead, it aims to build empathy and common goals among various disciplines within the organization.

4 pillars of DevSecOps Culture

There are four key pillars that must be considered when looking to shift the DevSecOps culture of an organization:

  1. People
  2. Processes
  3. Technologies
  4. Governance

DevSecOps principles build on these four intersecting parts, by eliminating the silos and creating a collective focus. This environment of shared responsibility and mutual empathy requires breaking down barriers between teams. Consequently, people are the starting point and the foundation of any DevSecOps implementation. Restructuring DevOps and Security teams to establish efficient cooperation between them, as well as offering good quality and targeted training to the wider organization will ensure that security becomes a frame of mind rather than a hindrance. 

The next step is to introduce supporting processes, with the aim to further improve collaboration between people as well as achieving more secure development processes as a whole. These process changes are designed to span the three functional areas of development, security, and operations providing cohesion and uniformity between them. They establish a common goal of secure and stable software developed at scale.

Additionally, the DevSecOps approach requires having the right technologies in place to enable employees to execute these processes as well as automate them. This, ultimately, reduces the organization’s attack surface and enables effective management of the technical security debt. Technology, the tooling that supports a DevSecOps pipeline, is often the area most organizations think of first.

And finally, one of the least thought of elements of a true DevSecOps culture is governance. While the people, processes, and technologies come together to support each other, governance also plays a key role. It measures the performance of the other elements and can point out where more focus is needed to ensure all parts of the culture form together.

Culture is a result of people, process, technology and governance functioning together

As best practice, before starting on the journey to DevSecOps, organizations should assess their current development, security, and operations teams. The objective of this assessment is to plan for how DevSecOps approaches can be integrated into the organization. Visibility of the organization’s overall readiness to adopt a DevSecOps paradigm should be established with clear action items for addressing any deficiencies.

People: empowering the team

Rather than following the habit of calling humans ‘the weakest link’ when looking at security-related factors, we can empower them to be the strongest link and an important part of a company’s defenses. A modern security culture and mechanisms that work for, rather than against, people are crucial to making security work. Moving to DevSecOps starts by challenging the way traditional security teams integrate with the wider business. But the focus needs to be wide-ranging and not forget operations. Strong links between development, security, and operations teams ensure earlier feedback on the quality, from a security point of view, of the code, software or application, and in turn reduce the costs of implementing fixes.

Traditionally development was responsible for fast delivery, security was responsible for application security, and operations was responsible for stability. DevSecOps destroys those silos, eliminates finger pointing and unites all three roles in a common goal of quickly delivering software that is both secure and stable. Everyone has equal stake in all three objectives and uses their own expertise to support the others. Accountability, empathy, enablement become crucial characteristics of successful teams. To support this, underlying processes must change as well.

DevSecOps culture: graph showing responses of the survey about who should be responsible for security in the firm
As more organizations adopt DevSecOps delivery models, attitudes about who is responsible for security are shifting. Source: 2020 State of Open Source Security report

Process: supporting the new DevSecOps culture

Changing the mindset of the organization requires that processes are in place to ensure the new culture is adopted with ease. Looking at organizational processes in DevSecOps requires breaking down traditional barriers of authoritarian policies and workflows. To support the model of shared-responsibility, equity of purpose needs to be established between each of the disciplines. 

Gating models have to be removed when shifting to DevSecOps. Traditional security strategies involved setting key milestones at which security activities occurred and not allowing the process to progress past that milestone until an acceptable result was achieved. In some organizations with particularly mature models, operations implemented similar gates before software could be deployed. This gating model creates lengthy feedback loops that slow software delivery and ultimately reinforce silo-based thinking. 

Mutual accountability is a concept that must be embraced, as a replacement to gating, and supported by subsequent process changes. Development, security, and operations roles should be working together to ensure all objectives of fast, secure, and stable software are achieved. Processes by which security and operational best practices are implemented throughout the delivery pipeline are crucial in establishing this collaboration and accountability. Of course, to do this also requires the support of proper technologies.

Technology: paving a path to success

While people and processes work together to ensure adoption of this new DevSecOps culture, it can all still fall apart if the underlying technology doesn’t accommodate the changes. Technology that can integrate into the delivery pipeline, can be used with relatively low effort (often through automation), and supports the multi-functional needs of a DevSecOps model needs to be adopted. 

automation is one of the aspects of  DevSecOps culture
Automation of security practices can be an important step in enabling DevSecOps, however automation is only one aspect of building a DevSecOps culture.

Often when people think about DevSecOps technologies they get caught up in the automation of delivery processes such as builds, promotions, and deployments. But automation isn’t always the correct answer. Organizations need to look at their technology and automate when necessary and capable, streamline where possible, and eliminate where it’s not practical or it is redundant. Minimizing the various technologies through which the pipeline travels is an underrated but effective way to optimize software delivery. 

Governance: measuring results

Advancing cultural shift within any organization requires the ability to monitor progress, measure success, and identify challenges. Governance functions provide the oversight to ensure that not only are practices being adhered to but also that they are having the expected impact. If tooling is working properly but the processes surrounding it are cumbersome, the pipeline can still fail. If good processes have been defined, but the people are not adopting them consistently, this can cause failures as well. A good governance program works with these other elements to highlight potential problem areas.

A significant feature of governance in the DevSecOps culture is the establishment of a comprehensive metrics program. The ability of the culture to grow and continually improve needs to be demonstrated to the business. Since a culture change, like the DevSecOps journey, is a long-term investment, it’s important that the value of the initiatives being launched can be demonstrated along the way. A DevSecOps journey should not be focused on a final outcome, but rather continuous improvement and maturation of the culture within the organization. Metrics and KPIs within the governance program should reflect this.