The compliance stakes are high for DevOps shops. Security failures bring the potential of financial penalties and...
legal action. Such high stakes can, in fact, drive a transformation from DevOps to DevSecOps, a shift that establishes a secure development process and ensures compliance and cross-team collaboration from day one.
DevOps to DevSecOps at the team level
The move from DevOps to DevSecOps to meet compliance requirements requires a unified work approach that brings together the security, development and operations teams.
When different teams come together, the business goals of the organization determine their roles, said Jo Peterson, vice president of cloud services for Clarify360, a technology sourcing and benchmarking firm. For example, a startup that's about to go public -- and the resulting alphabet soup of compliance -- puts security in the driver's seat. To this end, DevOps and security evolve together into one cohesive DevSecOps team, but a segregation of duties and responsibilities remains.
Wayne SadinCTO and CDO, Affinitas Life
The security team must train developers in code assessment, recommended Robert Rowley, director of security and privacy for Pagely, a company that provides managed WordPress hosting. Security teams don't have the resources to inspect every line of code, especially at DevOps velocity. Instead, the developers and security personnel can decide on the limits of code assessment and where to best use the busy security team.
When it comes to instilling a DevSecOps culture, Wayne Sadin, CTO and chief digital officer of senior living company Affinitas Life, sees no reason to go slow.
"If you're going to screw with the culture anyway, let's build the culture of the future," he said. "We're upsetting a lot of apple carts, so let's keep going."
Management must work closely with their teams to explain changes on the road to DevSecOps, as well as the role auditors and compliance people play.
DevOps and DevSecOps enter the C-suite
Eventually, the CIO and chief information security officer (CISO) must participate in the DevOps discussion. This is especially true when a development project needs to be compliant with the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act or other compliance standards. This discussion needs to cover how teams can work together to achieve IT delivery goals with the best use of resources.
For Peterson, the borderless environment of the cloud makes it tougher for CISOs and their teams to keep an organization secure. Security, development and operations teams must agree to communicate and share knowledge across domains.
Because so many people have roles in a company's security strategy, Sadin suggested organizations designate a single point person for risk or security -- DevOps shop or not.
But don't let security silo itself, Rowley cautioned. When security becomes so removed from the process that it doesn't function well with the other C-level executives or departments, security will fail.
DevOps to DevSecOps transformation
Compliance won't succeed in an organization that isn't moving toward DevSecOps.
The development team should build deeper working relationships with the security team through training sessions or other cross-functional work.
The CIO and CISO should work together more closely on strategies and frameworks to defend applications and cloud environments against attack. The effort is about even-better collaboration with the security team, not one superteam running the release cycle.