The key to successfully implementing DevOps practices is relationships. It’s about breaking down the existing silos between different functions that deliver software, like development and operations. These functions need to work toward a common goal, efficient software delivery.
The other relationship that is key to implementing DevOps is the relationship between security professionals and developers. Developers have had a historically strained working relationship with security professionals. Developer’s performance is often linked to speed of deployments, but security professionals are more concerned with the security of the software. So, when security slows down production to conduct scans or remediate flaws, it can be stressful for developers.
The first thing you should do to help strengthen the relationship is to establish a common goal. Both security professionals and developers should be working toward fast, secure deployments. Next, since part of DevOps is shifting security left, it needs to be done in a way that won’t add too much extra work for developers. For example, automate and integrate the security scans into developers’ existing processes.
Finally, consider promoting people from within to lead the DevOps initiative. If you hire someone from outside that doesn’t know the structure of your organization, it could cause increased tension and unnecessary delays. Count on your team to work together and find ways to successfully implement the new process.
For additional information on implementing DevOps, listen to part 4 of our AppSec Bites podcast series with Threadfix.