The enormous growth of DevOps is no accident. As organizations attempt to navigate the complexities of digital business, speed and flexibility are everything. Yet somewhere between innovation and disruption lies a basis fact: A DevOps initiative is only as good as the security framework that supports it.
Unfortunately, many organizations focus on speed and precision at the expense of security. The problem, according to a 2017 report from Gartner, is that DevSecOps is about speed and precision, yet security is often seen by development managers as a training burden or blocking issue. As a result, organizations become mired in a “fix it later” mentality.*
Overcoming this hurdle can prove daunting. Tossing money at more security and more training isn't necessarily the answer. A better approach centers on developing security champions who convey security priorities to colleagues. This approach boosts buy-in. It also speeds the feedback loop and helps translate security priorities into secure development practices that span groups and jargon.
Code Red
Establishing a DevSecOps framework is at the center of an agile and flexible enterprise. But putting the concept into motion is easier said than done. For one thing, business leaders must move beyond the perception that security is a roadblock for effective DevOps. When security is successfully integrated into processes and workflows, it creates a more streamlined and secure development environment. For another, they must adopt the right methods and techniques.
Gartner points out: “The use of a security champion grants organizations an individual who can act as an on-site advisor and as an expert who can anticipate potential design or implementation problems early in the development process. Champions can reduce the perceived complexity of secure coding by providing immediate, real-world examples in the team's code and can focus on immediate remediation rather than more abstract, less relatable issues. ”*
Moving Beyond DevOps
There are several steps that can help an organization cultivate security champions and make the leap to DevSecOps: Ask for volunteers, Establish a minimum baseline of what it takes to be qualified as a security champion, Provide training for these basic skills, Set expectations about time commitments, Train team leaders whenever possible.* Please read the report for a fuller description of these topics.
A Winning Approach
While there is no simple or single way to transform DevOps into DevSecOps, security champions can serve as a powerful tool. They can help an organization adopt a best practice approach.
Learn how to take your DevOps program to the next level by cultivating security champions.
*Gartner - Magic Quadrant for Application Security Testing, Ayal Tirosh, Dionisio Zumerle, Mark Horvath, 19 March 2018