At the center of a successful DevOps initiative is a simple but often overlooked concept: Because developers drive the software agenda, developer participation is crucial for achieving a more secure framework. DevSecOps represents the next evolutionary step of secure software development, but even the best governance framework and leading-edge security & development tools can't get the job done if the culture doesn't support it.
If development teams must change the way they've traditionally worked and interacted with other groups, security teams also face big adjustments, to move beyond the check-box compliance mindset. Veracode has a history of promoting an internal culture of security. Our thought leaders recommend the following four strategies for building a DevSecOps culture.
1. Develop a culture of openness and ongoing learning
Within any organization, trust and cooperation between development and security are paramount. Otherwise, security typically becomes reactive and subpar. Openness in communication is a virtue that promotes collaboration and continuous improvement between the development and security teams. No less important: ongoing training and learning. Raising developers' security IQ level pays enormous dividends.
2. Establish strong feedback loops
The term "ChatOps" is rapidly becoming part of the DevOps lexicon. Chat applications, such and Slack and HipChat, help teams collaborate faster and more effectively. At a higher level, some of these interactions can be automated using chat bots, and teams can begin doing away with legacy systems that hold them back, including email.
3. Create security champions
The lack of highly qualified security professionals can make the transition from DevOps to DevSecOps difficult. Savvy organizations identify individuals that understand security within both the Dev and the Ops groups. These individuals serve as security champions who become the security conscience of their teams.
4. Bolster team autonomy
Successful DevSecOps leaders empower their teams and give them the authority to determine many of their own processes and tools based on their needs. Teams should define their own culture as well. Distributed decision-making promotes greater responsibility and innovation.
Getting to DevSecOps
A strong security culture is one of three pillars of DevSecOps, along with processes and technologies, which we'll explore in future blog posts in this series. For more best practices of getting to DevSecOps, download The Developer's Guide to the DevSecOps Galaxy.