The importance of Communication in DevSecOps
Do you want to understand more about the importance of Communication in DevSecOps? Believe it: eliminate murmur between teams is important and may help to prevent risks to secure development.
When thinking in DevSecOps, the first things that come to mind are Continuous Security, Secure Development and the Shift Left mode.
After all, DevSecOps is the development approach integrated into security on agile development.
Though, if you want to understand more about what DevSecOps is and how to include a DevOps security model, we recommend this article published in our blog.
Do you know the role of an important communication to the DevSecOps process?
Although the approach to agile development is highly adopted in companies, security can not exist in all cycles if communication is not included in the process.
That’s why in this article we will approach the importance of communication for the process of DevSecOps. Check it out!
What is communication?
For starters, we need to have a clear definition and understanding of what communication is.
In a general way, communication is the act of exchanging information from one person to another. For those eager on a deeper definition, it is possible to find it here.
Yet, we can say that communication, in its essence, is not what you say, but what others understand!
Though, it is a problem: not always what we think we have transmitted is what others understand. The difficulty to transmit a clear message is called barrier, which can be an influencer through many stages of life.
What is the importance of communication in the DevSecOps process?
By now you might be wondering: what does this have to do with AppSec or even DevSecOps anyway?
Well, if we imagine that building a development process involves defining the relationship and information exchange between various areas and people, we understand that communication must be one of the most important aspects to be built.
Now, if this communication process will be carried out to a group, often formed by diverse professionals, of various ages, cultures, beliefs and sometimes even geographically separated, the care that should be given to the theme becomes more evident.
After all, communicating is not what you say, it is what the other person understands: remember that!
It is true that within a DevSecOps process there is a great use of automated steps, but there is also an intense exchange of information between the most diverse areas whenever necessary.
These exchanges of information can be from a simple email, talking about a configuration problem, even a complex report that must be created to be presented to the company board.
But what we are going to deal with here is how information influences within development teams and their external relationships.
What do DevSecOps teams need to have a correct communication with security teams?
Like any group of people, DevSecOps teams need to establish clear and assertive information exchange so that they can perform their tasks to the best of their ability.
This information exchange is often done between groups from different areas, with different knowledge and experience and who need to be aligned in their understanding.
The choice of terms and topics that are relevant to each part of the communication is important to establish the best possible exchange of information.
Enforcing views and opinions has never been and is not the best way to work out the importance of DevSecOps communication between teams. The best aspect of communication is convincing by solid arguments.
At this time the presence of experienced people is crucial, and here can be a great opportunity to scale the figure of Security Champions, as it will move between the two “worlds” and know how to convey the message in the best way.
What is the ideal number of participants to optimize communication in DevSecOps?
In this article published in Gartner, DevSecOps team building the issue of communication is also raised.
According to the information in the article, one of the biggest problems of not recognizing the importance of communication in DevSecOps is already having a hard time determining the correct size for each team. After all, the more participants, the greater the chances of problems communicating.
Some argue that the ideal team size should be a maximum of 10 people, others argue that it should not exceed 7.
As we know, communication is a two-way path – or more! – ways, and as we increase the number of people in a group, these communication channels grow exponentially, and more problems can arise from that.
Communication is the solution, not the problem
An important point to understand is that technical and non-technical professionals have different ways of communicating, and this same fact can be observed among security and development professionals, we already talked about this difficulty in another article.
This fact alone would make us alert and focused on developing a clear and effective communication process that could address the aspects of everyone involved in the DevSecOps process.
In this scenario, it is common for the responsibility for poor communication between these two teams to fall in only one direction, and usually, one group blames the other.
The point is that since communication is a two-way street, if there is no clarity in the sending of the message, the reception is left to a series of assumptions and in this, our brain is not very good. That is, there is room for things to go wrong.
How to structure the importance of communication in DevSecOps
In order for communication to flow as clearly as possible, some care must be taken.
Choosing a reliable information exchange environment is one of these ways.
Setting up a structure that can be used for this communication is another factor that can help in the communication process.
Technicians aren’t known for their writing skills, but that doesn’t mean they can’t improve on that. Therefore, making a structure pleasant to them is one of the first steps.
Look at its structure and see if there is a building of tools and systems that makes it possible for everyone to contribute. Also, see if within your teams there is a habit of setting up meeting times – even virtual ones – for exchanging experiences. That quality time when everyone can stop for one can make a big difference!
What is the impact of the tools on communication?
One of the points we most often notice is the great importance given to tool reports, which can often be used by development teams as a communication mechanism with others.
The tool is not the problem, but neither is the AppSec it is not a “silver bullet”.
Poorly operated tools with inexperienced teams can bring more problems than solutions. The number of false positives they present can lead to greater wear and tear between teams, as they deliver false visions to either the development team or even the security team.
In addition to false positives, poor communication between teams, as well as a lack of understanding of the tool’s outcome can often lead to false negatives. And that can be even more serious than the false positive problem.
To mitigate the friction and misunderstanding of this scenario, the importance of Communication in DevSecOps is total, and the protagonist deserves to gain space.
After all, at worst, the error or miscommunication of a vulnerability could eventually result in a vulnerability that will never be fully or partially corrected until a more obvious problem.
In this sense, not working with communication would cause a real boycott of the preventive security that the DevSecOps process is aiming for.
How can communication be enhanced?
Thinking about the importance of Communication in DevSecOps, it is important to work in the feedback culture towards open communication. These points help build an environment where everyone can put their point of view to show they can contribute to the discussion.
Making sure that your development or even security team members have good communication is one of the biggest challenges, but if the environment where they are inserted does not provide the confidence of communication, this process is bound to fail.
One of the things that can be done is to create an environment that can bring the participant the best opportunity to convey what they want. For some, it may be during daily project meetings, for others, it may be through documentation. For others, a simple comment on commit processes can help.
The point is that the manager will need to develop an ability to identify which platforms and/or environments for his team.
Acknowledging that there is a problem is the first stepDifferent contexts of communication in DevSecOps
At this moment, the context is of utmost importance!
If we really want to work out the noise in communication between teams, we need to understand that the security team can help DevOps in their perception of architecture from a security standpoint or even in how applications can be improved in the security aspect.
Communication failures can seriously compromise the security of the applications produced by your development team, thus compromising your business.
Therefore, the importance of DevSecOps Communication directly impacts development teams, and with the help of security, teams can even provide developers with a better understanding of compliance issues that should be followed.
So, have you evaluated how it is or how the communication between your teams is?