Rawpixel - Fotolia
"Security has always been part of DevOps! Didn't you read The Phoenix Project?"
Bring up DevSecOps and that's a common reaction from many DevOps practitioners. They may go on to note that we don't have a DevBizOps or a DevChatOps even though business needs and effective collaboration are also integral parts of DevOps.
They may have a point. But, in practice, we still run into DevOps workflows that don't continuously integrate security. We still attend enterprise DevOps events where security seems treated as at least somewhat of an afterthought.
The reminder is useful.
The core principles of software risk management haven't changed much since they were formally defined back in the late '80s. We need to identify, address and eliminate sources of risk before they become threats to the integrity of IT operations. Ultimately, what threatens IT operations can damage the overall business.
But the landscape in which we apply those core principles has changed dramatically.
DevSecOps secures evolving IT landscape
The IT landscape has changed. Microservices, component reuse, automation, pervasive access, immutability, flexible deploys, rapid tech churn, software-defined everything, a much faster pace and containers are all part of the modern application development and infrastructure mix. And this is against a background of constant security threats that morph faster and are executed more systematically than in the past.
Take a step back, and it's obvious there's a clear need to repeatedly automate security practices across the entire development and operational environments. This includes considering source control repos, container registries, the CI/CD pipeline, API management, orchestration and release automation, and operational management and monitoring. Thinking about security across all these areas is a necessary part of risk management in today's world.
It's not so much about using specific tools and processes. Container platforms that bring together necessary automation, scanning, workflow, developer tooling and management certainly simplify integration and maintenance going forward. But equally important is developing a mindset and building a DevSecOps culture with continuous security that replaces multi-month patch cycles and periodic audits.
You don't need to call this DevOps. Buy maybe it's not a bad idea.