The approach organizations should take to develop and maintain an effective DevSecOps culture were highlighted by Patrick Debois, director of market strategy at Snyk during a session at the Infosecurity Magazine Online Summit EMEA 2021.
Debois firstly emphasized the importance of an organization’s culture in determining the DevSecOps strategy that should be employed. “The CEO and culture of your company will set the tone on the areas upon which your DevSecOps transformation will address,” he commented. Depending on the context, this may involve greater focus on automation, metrics, empowerment or command and control.
He then outlined the different ‘topologies’ available, which relate to the nature of the relationship between dev and ops teams, with varying degrees of closeness. The type that will work best in a given organization is dependent on the culture that has been developed, he said. These can manifest in five ways:
- Dev and ops collaboration
- Fully shared ops responsibilities
- DevOps with expiry date
- DevOps Evangelist
- Container-driven collaboration
Debois went on to describe three team interaction modes that need to be considered:
- Collaboration: the day-to-day human collaboration
- X-as-a-service: the self-servicing automation that a developer can use
- Facilitating: a facilitation by the teams to help guide the collaboration
He added: “If you’re constructing how your teams overlap, you also have to look at how they will collaborate.”
Ultimately, in the view of Debois, building and gaining trust between the respective teams is what is most essential. He highlighted four key facets related to this:
Debois noted that competence is not enough on its own. “That’s why I see DevSecOps as the trust building up between both parties,” commented Debois.
Finally, the four areas of DevSecOps were defined as the following:
- Secure stack: what is being delivered and is that secure? e.g. code dependencies
- Secure delivery: how it’s being delivered and is that secure? e.g. is the integrity of the download secure
- Security governance: Where the team hooks into the processes of the security team
- Security empowerment: How the team interacts with security, ultimately to acquire security knowledge.
These are all interlinked, and there is an equal focus placed upon each. Debois concluded: “You have to level up in a spiral way on all of these areas.”