7 Steps to Transforming Yourself into a DevSecOps Rockstar
Security practitioners at one education software firm offer lessons learned from merging DevOps with security.
March 23, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blta8ac85ca12742bb0/64f0d8351a256b06c7a35111/01-rockstar.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The union between DevOps and information security stands to help organizations not only deliver software more quickly, but also finally achieve something that application security professionals have been chasing for years now: securing code much earlier in the software development lifecycle. According to recent numbers, high-performing IT teams that engage in DevSecOps work patterns need to spend 50% less time remediating security issues because they're fixing problems throughout the entire lifecycle.
But achieving those kinds of gains requires that security professionals make big changes in attitudes, work habits, and communication methods, say two professionals from higher ed software developer Ellucian, who have helped the firm transform its development practices. Dark Reading recently caught up with Michele Chubirka, security architect, and Troy Marshall, DevSecOps and cloud reliability leader, to discuss what it takes to get into the DevSecOps groove.
[Learn more about DevSecOps during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To check out the other Interop security sessions, or to register, click on the live links.]
Nearly six in 10 IT professionals believe that security is an inhibitor to DevOps agility. That's a problem for the business, which is increasingly depending on said agility to compete in the app economy.
"Our job is to minimize risk, not enforce our tunnel vision throughout an organization in order to make Information Security the center of the universe," Chubirka says.
She explains that security leaders that want to transition to DevSecOps will need to let go of manual gating processes that require lots of human interaction and introduce a ton of friction to the flow of business.
"It brings business to a grinding halt," she says. "It doesn't work and doesn't help an organization's overall security profile."
When security professionals understand the language of developers it becomes much easier to clearly define specific requirements in a way that directly translates to developers' daily work.
"Most security organizations do a horrible job in articulating their expectations and just throw around 'best practices' and NIST standards," Chubirka says.
She suggests that DevSecOps pros will get better results by first communicating their non-functional requirements (NFR) in a template that's embedded in a product's MVP statement. From there, it's a matter of reaching out through those embedded security champions.
"Sit in scrum teams and provide feedback," she says. "Teach them to threat model and implement standard questionnaires that can assist with this."
Make no bones about it, automation is the engine by which DevOps teams scale their efforts. Security should be no different and if security professionals truly want to achieve DevSecOps nirvana, they need to be striving for the ideal of security "policy as code," says Chubirka.
"Establish what you want to enforce, the boundaries, then operationalize through automation systems in order to align with the DevOps pipeline model," she says.
The union between DevOps and information security stands to help organizations not only deliver software more quickly, but also finally achieve something that application security professionals have been chasing for years now: securing code much earlier in the software development lifecycle. According to recent numbers, high-performing IT teams that engage in DevSecOps work patterns need to spend 50% less time remediating security issues because they're fixing problems throughout the entire lifecycle.
But achieving those kinds of gains requires that security professionals make big changes in attitudes, work habits, and communication methods, say two professionals from higher ed software developer Ellucian, who have helped the firm transform its development practices. Dark Reading recently caught up with Michele Chubirka, security architect, and Troy Marshall, DevSecOps and cloud reliability leader, to discuss what it takes to get into the DevSecOps groove.
[Learn more about DevSecOps during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To check out the other Interop security sessions, or to register, click on the live links.]
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024