DevSecOps: Don’t Invest In Hope

A successful DevSecOps approach is rooted in action, not hope.

Recent Posts By Derek E. Weeks

• Challenges in Leading a DevOps Team at a Fortune 100 Company
• Software Liability Goes Global
• DevSecOps: Digging into Root Cause Analysis

More from Derek E. Weeks

Related Posts

• DevSecOps and DevNetOps: New Heroes in the DevOps Saga
• DevOps Chat: Aqua Security Seeks To Secure Containers
• Intuit’s DevSecOps: War Games and Culture Hacking

Related Categories
• Blogs
• Enterprise DevOps
• Rugged DevOps

Related Topics
• all day devops
• devsecops
• security
• tools

Show more

Show less

There is a lot of investment in hope.

I hope we won’t get breached.

I hope our DevOps teams aren’t deploying thousands of vulnerable containers.

I hope our developers aren’t downloading millions of vulnerable open source components.

I hope our developers and security teams will figure out how to work together.

I hope we won’t be fined under GDPR.

I hope the hackers don’t notice.

Yet, the fact remains that hope will not reduce breaches. Hope does not safeguard your containers or components. Hope cannot achieve collaboration. Hope won’t prevent a fine. Hope is not a strategy.

Many organizations are considering their approach to DevSecOps. They are moving beyond hope to strategy. They are choosing action over indifference. They are taking the first step of their journey.

Here are three ways to start your journey:

Picture This

We all learn from others. Here is a collection of 20 DevSecOps reference architectures. They reveal the choices and priorities others have made ahead of you. Look at what they did. Choose to do something similar, or create your own path from a mix of their ideas. If your canvas is blank, use these to draw something.

Watch This

The pioneers are the ones with the arrows in their backs. Another word for DevSecOps pioneers is practitioner. And many practitioners have navigated their journey successfully enough to share it. More than 15 practitioners shared the tale of their DevSecOps journey during All Day DevOps. Every session was recorded online. Every session is free. Start with this one from DJ Schleen at Aetna and then pick your next one.

Start There

In a panel discussion I sat on recently as a prelude to DevSecOps Days at this year’s RSA Conference, I heard some very practical advice (find the recording here). One of the other panelists, Stephanie Derdouri from Fannie Mae, advised our audience to start with one thing. Don’t pick a bunch of strategies and tactics. Just pick one painful, suboptimal or annoying practice tied to security and improve that element within your DevOps practice.

Pick only one. Start there.

Hope is not a strategy. Action is your only safe option. Take the first step.

Featured eBook

Minimizing the Risks of OpenStack Adoption

OpenStack was created to enable enterprises to create an AWS-like public cloud on-premises. This requires a very different design compared to legacy virtualization vendors, who are trying to package their existing software to look and feel like cloud. Over the last five years, OpenStack has become a solution of choice ... Read More