The new processes within DevSecOps
DevSecOps has changed the role of Sec in DevOps. Sec just being in the end phase and being a big hump in the way of going to production has shifted to security being in every part of the development life cycle. It entails integrating security earlier in the application development life cycle and starting to think about infrastructure and application security right away. Additionally, it entails automating a few security checkpoints to prevent a delay in the DevOps workflow. Figuring out the right tools and processes for people can assist them in achieving their goals.
Instead of security stopping the whole pipeline, it is part of each of the following phases:
- Plan
- Code
- Build
- Test
- Release
- Continuous deployment and decommissioning
- Operate
- Continuous monitoring
Figure 1.5: DevSecOps in action
We can have the best tools that money can buy but DevSecOps will not work if your team is not working. You can have the most cooperative team, but nothing will work out if you don’t have the right set of tools.
Not all tools are DevSecOps-ready
Not all tools can fit into a pipeline
The quiet and secluded processes can not only destroy the DevOps culture but ultimately reduce the security posture of the whole organization.
We can have the best tools
We can have the best processes
We can have the best people
However, if the culture of the organization is not exercised, nothing will work
This compartmentalized way of thinking not only undermines the DevOps culture but also weakens the organization’s overall security posture. The secret is to reduce process friction to a minimum. Any organization’s processes are carried out by people.
DevSecOps processes, which aim to reduce the enterprise attack surface and enable effective management of technical security debt, are carried out by people using technologies. DevSecOps challenges the way traditional security teams integrate with the larger business, which is one of its most crucial aspects. If attitudes are to shift, it will take a top-down strategy to change behaviors and increase awareness at all levels of a company.