Rawpixel - Fotolia

Wait a sec! It's time to talk about DevSecOps

Why call for DevSecOps if DevOps encompasses everything from business to collaboration, including security? Because in practice, security is too often a DevOps afterthought.

"Security has always been part of DevOps! Didn't you read The Phoenix Project?"

Bring up DevSecOps and that's a common reaction from many DevOps practitioners. They may go on to note that we don't have a DevBizOps or a DevChatOps even though business needs and effective collaboration are also integral parts of DevOps.

They may have a point. But, in practice, we still run into DevOps workflows that don't continuously integrate security. We still attend enterprise DevOps events where security seems treated as at least somewhat of an afterthought.

The reminder is useful.

The core principles of software risk management haven't changed much since they were formally defined back in the late '80s. We need to identify, address and eliminate sources of risk before they become threats to the integrity of IT operations. Ultimately, what threatens IT operations can damage the overall business.

But the landscape in which we apply those core principles has changed dramatically.

DevSecOps secures evolving IT landscape

The IT landscape has changed. Microservices, component reuse, automation, pervasive access, immutability, flexible deploys, rapid tech churn, software-defined everything, a much faster pace and containers are all part of the modern application development and infrastructure mix. And this is against a background of constant security threats that morph faster and are executed more systematically than in the past.

Take a step back, and it's obvious there's a clear need to repeatedly automate security practices across the entire development and operational environments.

Take a step back, and it's obvious there's a clear need to repeatedly automate security practices across the entire development and operational environments. This includes considering source control repos, container registries, the CI/CD pipeline, API management, orchestration and release automation, and operational management and monitoring. Thinking about security across all these areas is a necessary part of risk management in today's world.

It's not so much about using specific tools and processes. Container platforms that bring together necessary automation, scanning, workflow, developer tooling and management certainly simplify integration and maintenance going forward. But equally important is developing a mindset and building a DevSecOps culture with continuous security that replaces  multi-month patch cycles and periodic audits.

You don't need to call this DevOps. Buy maybe it's not a bad idea.

This was last published in June 2017

Dig Deeper on DevOps security

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What's the best way to protect an enterprise in modern IT?