Blog

The relentless pace of technological change, underpinned by scientific and technical advances, has unsurprisingly driven changes in our behaviour and expectations. This is especially pronounced for software products. Historically, multi-year product development cycles were the norm, however, acceptable product lifecycle time frames have now been reduced to months or even weeks. These compressed timelines enforce a laser focus on product strategy, in addition to effective process and stakeholder management.

A central theme of DevSecOps is collaboration, involving process, people and technologies. Software development will also involve multiple teams, namely: development, security and operations teams. Teams that traditionally were able to work sequentially in the Software Development Life Cycle, or SDLC, and in effective silos with clear transitions between them. But this model is no longer suited to secure software production. DevSecOps aims to remove the boundaries between development, security and operations, requiring the three to function as single team with common goals. Akin to a pit stop in motor racing, the aim is to allow the vehicle to re-join the race circuit as soon as possible, thus fuelling, tyres, repairs and mechanical adjustments are conducted concurrently. This allows a vehicle to be serviced in seconds. Compare this to taking a vehicle to a traditional garage, where the lag time could be hours or even days.

Likewise, for team members, DevSecOps will require them to continuously acquire knowledge and gain understanding of disciplines other than their own specialisms. This will have two effects: firstly, provide team members with an understanding of disciplines which were not traditionally associated; secondly, the knowledge acquired will allow team members to understand and respect others with different specialisms.

Whilst no single team member can be the subject matter expert (SME) for everything, a SME within a certain discipline will require understanding of activities from those of other disciplines – if not at an individual level, at least at the level of the team. SMEs will be familiar with their native environments, and should be comfortable with toolsets for normal operations, even if specialist toolsets are required. DevSecOps teams, by definition, will consist of separate team members familiar with development, security and operations concepts and practices. Likely none of these will be specialists in all three disciplines, and as a result, the operational environment will need to be easily accessible and readily configurable by each discipline (especially security) to meet their own best-practice-driven expectations. The introduction of non-specialists will increase the variability within the operational environment; thus, the right tooling, automation and metrics reporting will become more important – but the actual toolsets and level of automation will depend on the organisation’s existing environment and security maturity. Whilst it will not be possible to automate everything (the prime example being remediation, which will require manual interaction), wherever possible, automation will improve efficiency and consistency.

No tooling or process changes will be effective without accompanying education and awareness. Continuous education has always been important, particularly in technical disciplines, and certainly in the field of cyber security. However, with the pace of technological change and the holistic methodologies that practitioners need to adopt, foundational education will need to be structured and well-timed. Without these considerations, training is likely to be lost amongst the sea of noise that is ever-present in a modern operational environment.

Due to aggressive timelines required in modern secure software development, we are on the cusp of a new paradigm through DevSecOps. The following steps will help to guide teams towards the new functional model:

1.      Enable collaboration between processes, people and technologies.

2.      Define common goals.

3.      Engage with automation and toolset implementation.

4.      Implement structured and well-timed training to provide education foundation.

5.      Exercise continuous review and improvement.

Ultimately, the success of DevSecOps involves collaboration, shared goals and education to remove traditional silos. As with the pit stop in motor racing, the whole team collaborates to get the vehicle back in the race as quickly as possible.