Let’s discuss the DevSecOps culture, or the security practices in the DevOps culture.
Culture? Yes, we are talking about culture, not processes, methodologies or even tools. But first, we need to take a few steps back and talk about DevOps.
In the past we had completely segregated teams that shared responsibilities. Dev teams focused on the development of an application, then passed to the operations team, responsible for programming implementations, putting the application to run.
With DevOps, we started working on a culture where these two practices worked together with the same goal: Build applications with agility, quality and make it available as quickly as possible. Pointing out that, when we talk about speed, it’s not about speed without a process, but getting that agility ensuring all the quality and integrity controls of this application.
When we start to work in an agile way, other practices start to emerge such as automations, continuous integration processes, continuous deploys, infrastructure as code, etc. And in that way, we started to build an infrastructure within an agile process.
However, what we need to understand is that this whole process is a culture that needs to be sought and built on a daily basis with the union of two distinct teams: development and operations.
DevSecOps as a culture
Unfortunately, when we talk about security, we have often heard the topic associated with simply putting a tool on the treadmill, that is, inserting automation. We see that the following thought is common: in an environment that already has a DevOps culture – with several practices being implemented to deliver software with quality and agility – just put a tool that will be enough to guarantee security. Which turns out to be a totally wrong thought.
Just as the culture of Development and Operation work together, now, Security and its practices become part of this culture as well. The DevSecOps culture is to think about all controls so that teams build, deliver and maintain a secure application from start to finish of a development cycle.
Tools, automation and processes to achieve agility are neither DevOps nor DevSecOps. They are just practices. DevSecOps is being able to deliver software products with quality, agility and security.