- Joined
- Jun 13, 2020
- Messages
- 7,544
- Reaction score
- 916
- Points
- 212
- Awards
- 2
The approach organizations should take to develop and maintain an effective DevSecOps culture were highlighted by Patrick Debois, director of market strategy at Snyk during a session at the Infosecurity Magazine Online Summit EMEA 2021.
Debois firstly emphasized the importance of an organization’s culture in determining the DevSecOps strategy that should be employed. “The CEO and culture of your company will set the tone on the areas upon which your DevSecOps transformation will address,” he commented. Depending on the context, this may involve greater focus on automation, metrics, empowerment or command and control.
He then outlined the different ‘topologies’ available, which relate to the nature of the relationship between dev and ops teams, with varying degrees of closeness. The type that will work best in a given organization is dependent on the culture that has been developed, he said. These can manifest in five ways:
Ultimately, in the view of Debois, building and gaining trust between the respective teams is what is most essential. He highlighted four key facets related to this:
Finally, the four areas of DevSecOps were defined as the following:
Debois firstly emphasized the importance of an organization’s culture in determining the DevSecOps strategy that should be employed. “The CEO and culture of your company will set the tone on the areas upon which your DevSecOps transformation will address,” he commented. Depending on the context, this may involve greater focus on automation, metrics, empowerment or command and control.
He then outlined the different ‘topologies’ available, which relate to the nature of the relationship between dev and ops teams, with varying degrees of closeness. The type that will work best in a given organization is dependent on the culture that has been developed, he said. These can manifest in five ways:
- Dev and ops collaboration
- Fully shared ops responsibilities
- DevOps with expiry date
- DevOps Evangelist
- Container-driven collaboration
- Collaboration: the day-to-day human collaboration
- X-as-a-service: the self-servicing automation that a developer can use
- Facilitating: a facilitation by the teams to help guide the collaboration
Ultimately, in the view of Debois, building and gaining trust between the respective teams is what is most essential. He highlighted four key facets related to this:
- Sincerity
- Reliability
- Competence
- Care
Finally, the four areas of DevSecOps were defined as the following:
- Secure stack: what is being delivered and is that secure? e.g. code dependencies
- Secure delivery: how it’s being delivered and is that secure? e.g. is the integrity of the download secure
- Security governance: Where the team hooks into the processes of the security team
- Security empowerment: How the team interacts with security, ultimately to acquire security knowledge.
