In recent years, we have heard a lot about terms like DevOps and DevSecOps, and a quick search reveals many job vacancies for these roles. But what is DevSecOps? Why is this type of professional in such high demand?
The Beginning of DevOps and DevSecOps
Looking at the software development market 20 years ago, we had isolated developers and operations teams. Despite working to make the same product available, these teams were kept separate and did not work synergistically.
However, with the high demand for agility in the software development and delivery process, there was a need to eliminate barriers and bring teams together. With this in mind, in 2011, researchers Jez Humble and Patrick Debois  coined the term DevOps, aiming to demonstrate that software engineers should have a general perspective of the project, understanding not only their piece of the puzzle but also how it interacts with the other elements of the cycle.
In this sense, developers stop being just coders and become protagonists throughout the software development cycle, actively participating in the process of implementation, testing, validation, and software monitoring.
With the intrinsic benefits of adopting the DevOps culture and technological advancements, security concerns have increased due to the growth of security breaches such as data leaks, forcing the industry to pay more attention to secure development processes. In this context, there is a need to incorporate application security processes into the DevOps culture, giving rise to the term DevSecOps.
In the traditional development model, some processes aim to ensure system security, such as pentest routines, monitoring policies, and incident response, but this is usually done only at the end of the development cycle.
Therefore, there is a need to add security to the DevOps process, making the software engineer an active player in implementing security mechanisms throughout the development cycle. Thus, the developer becomes a participant and actively interacts with the security and operations teams.
We must clearly understand that the market commonly treats DevSecOps as a developer’s exclusive role or function. Still, the DevOps and DevSecOps concepts are about culture, behavior change, and business vision and should not be limited to a position or a person. We are all invited to learn and be part of this culture of secure development.
A cultural change in the organization is necessary to generate a change in thinking among developers, which consequently changes the development process. Therefore, DevSecOps aims to promote an environment with a culture of continuous collaboration, focusing on putting security in each stage of the process. Now, I invite you to learn about some essential points that we believe are necessary for an influential DevSecOps culture:
1- Knowledge sharing, the secure development process, is closely linked to how we deal with education and training. We should encourage our teams to share knowledge and create a culture of sharing practices. Here we can mention the figure of Security Champions, developers who receive security training and are responsible for evangelizing secure development standards by disseminating knowledge to the entire team.
2- Communication and continuous improvement only exist through dialogue, so you, as a DevSecOps practitioner, should ask yourself, “How can I help my team? How to implement secure processes without slowing down deliveries?” Eliminating communication barriers between the parties involved.
3- Feedback, DevSecOps provides continuous feedback on what you and your team are doing right so that you can mature the processes making the cycle more agile and effective.
DevSecOps goes beyond tools
Several other points can be raised as activities of DevSecOps, but I believe that by now, you have realized that it is all a matter of culture. You may wonder, “Here in my company, we have several tools that support DevSecOps; where do they fit into the culture?” The answer is very simple: the tools help us throughout our journey to make applications more secure.
In the market, several tools can facilitate the implementation and maintenance of a secure development process, but more than tools are needed to ensure a secure application.
For example, we can mention the Conviso Platform, which basically seeks to enhance the implementation of a secure development cycle, presenting simply several tools that will support the developer in their activities.
In conclusion, we can say that DevSecOps is not a rigid set of rules and procedures that must be followed methodically, but only a mindset that needs to be absorbed and popularized by all members of the development team.