20 DevSecOps Pros Reveal the Most Important Considerations in Building a DevSecOps Pipeline” on Security Boulevard, October 10, 2019
Alan Zucker is the Founder of Project Management Essentials. He is an instructor and advisory consultant helping organizations with their Agile and DevOps practices. He played a leadership role in an Agile/DevOps transformation at a Fortune 50 financial services company.
“DevSecOps is the next iteration in developing an environment and culture of continuous delivery of value…”
Just as with DevOps, one of the primary first steps is breaking down the organizational and cultural silos that separate information and infrastructure security from the development and technology operations groups. Ask yourself: Is there an adversarial relationship between security and the rest of the technology organization? Are they seen as watchdogs or partners?
Most likely, security is not an integrated part of the delivery value chain. Security tests and audits are seen as hurdles and barriers to continuous delivery. Address these organizational and process issues first. Make the development team responsible for building a secure environment and provide them with self-service tools so that they can test the software. Make the ops team responsible for running a secure environment. Give them the tools and metrics to be active partners on the watchtower.