Taos DevOps expert Dennis Ruzeski spoke on our recent webinar (watch it here) sharing best practices on how organizations can transition to DevSecOps methodologies. He discussed what DevSecOps is, why it’s important, and what the adoption of DevSecOps may look like for organizations at different stages on the security maturity scale.
We’re continuing the conversation with Dennis here in the Taos blog to dive deeper into these best practices, particularly the hurdles and challenges that teams might experience in adopting a DevSecOps culture.
Speaking from your perspective as a Manager of DevOps Engineering, how will adopting DevSecOps affect a DevOps team?
“It will actually be pretty painless and in some cases will make developer and DevOps teams’ lives easier. If you have a well thought out pipeline, you’ll be able to fail sooner and make mistakes easier and faster to remediate. However, one thing to watch out for is communication problems between the DevOps and security teams. This will be problematic, so a manager should anticipate that and be proactive about addressing expected issues. A good security expert on your operations team can facilitate communication, because they can speak that language.
As far as intra-team dynamics, DevSecOps doesn’t change how people work together. Everyone will work their assigned tickets, same as any agile environment, and actual workloads don’t change.”
What about ensuring compliance with new policies and procedures?
“If your automation tools are well designed, then compliance is automatic and the concept of non-compliance goes away. If they aren’t well designed, then there will be manual processes that introduce the possibility of human error, so always considering bringing in an outside expert to assess and advise on tooling and implementation.
It’s important to note that not all security problems can be automated. If they could, there wouldn’t be any security problems. So teams should be empowered with the see something/say something rule and information on anonymous security hotlines to report things up the chain. This is way outside the DevOps Manager scope, of course, but it’s always smart as a manager to anticipate all outcomes.”
Can the team’s collaboration and communication be impacted?
“With good planning, team collaboration should really not be impacted. But DevSecOps will hopefully improve collaboration with security teams and help to bring down some of the cultural barriers and friction that are so common.”
How does adopting DevSecOps impact a manager’s role?
“Everyone across an organization is accountable for security, but the manager’s role is to help to drive the corporate culture, policy, and security practice adoption. The security posture has to be something the whole company, from executives on down, adopts and embraces. This is where leading by example is important. Sometimes it’s bumpy, but the goal is to take a “no” from security and make it a “yes” for everyone by finding the middle ground between all the teams.”
How do you deal with resistance from your engineers and team members who might feel that new methodologies could affect their job security?
“It really is just the opposite. Responsibilities will shift but there will be no shortage of work, and the workload shouldn’t really increase either, because most changes will be automated. And remember, security practices are a living process and there is no finish line, so for many teams and engineers, this is a huge learning opportunity. Education and knowledge are job security.”
Let’s talk more about that learning opportunity. What do teams need to know?
“Professional certifications and training are plentiful, and many companies cover the costs. There will be a learning curve to pick this up, but a lot of it is just building to a new set of security requirements. For instance, instead of just saying something you’re building has to go in a redundant infrastructure with geographical separation and a blue-green deployment, you now need to introduce pieces of security like scanning and analysis tools and pen testing into the mix. These now have to be accounted for in your pipeline and automation tools.”
How can managers support team members through a transition to DevSecOps?
“Managers can support by keeping communications clear and keeping policies consistent. Monitor stand-ups and reports from the security team about remediation efforts. Show targeted goals that you can attain as a company around security, like we want 100% of our code base scanned by this date. Get feedback from the team and stay open to it. Look at metrics like changes in deployment time or pipeline deployment issues. Ask questions like, “How are these additional steps impacting our ability to deliver this software to its endpoint? How has our SLA changed? What is our time to delivery now that we’ve added these new factors into the environment?”
What do you think the key ingredient is for building and maintaining a strong DevSecOps team?
“Build your team with people who are knowledgeable and understanding of the security process and its constant evolution, who are passionate about keeping the environment safe and staying out of headlines, and who understand the importance of security in a modern infrastructure team.”
Learn more about DevSecOps with Taos at https://www.taos.com/services/managed/devsecops_now