DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • DevOps Chats
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Communities
    • AWS Community Hub
    • CloudBees
    • IT as Code
    • Rocket on DevOps.com
    • Traceable on DevOps.com
    • Quali on DevOps.com
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DevSecOps
  • Leadership Suite
  • Practices
  • ROELBOB
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps

Home » Blogs » DevSecOps » DevSecOps: Where DevOps and Security Meet

DevSecOps DevOps Security Meet

DevSecOps: Where DevOps and Security Meet

By: Alan Shimel on September 4, 2018 2 Comments

Catching up with three IT leaders on the role of security in the changing world of DevOps

Recent Posts By Alan Shimel
  • DevOps Unbound EP 21 Leading a DevOps Transformation – Lessons Learned – TechStrong TV
  • Agile and DevOps for Kiosks
  • Graph CDN for GraphQL APIs
More from Alan Shimel
Related Posts
  • DevSecOps: Where DevOps and Security Meet
  • Why is Security Still in the Way? A Look at DevSecOps Right Now
  • DevOps Connect: DevSecOps — Building a Modern Cybersecurity Practice
    Related Categories
  • Blogs
  • DevSecOps
  • Events
    Related Topics
  • devops
  • devsecops
  • DOES London 2018
  • security
Show more
Show less

The DevOps methodology as a software and engineering culture goes back nearly 10 years—Patrick Debois coined the term when he named a Belgian software conference “devopsdays.” Since then, the movement has taken on a mind of its own, turning into the go-to strategy for enterprises the world over aiming to accelerate their development timelines and deliver better products faster.

DevOps Connect:DevSecOps @ RSAC 2022

In the shifts and changes that have happened over the last decade, one has been the idea of “DevSecOps,” or the intersection where security practices and DevOps transformations meet. Recently, at the DevOps Enterprise Summit 2018 (DOES18) event in London, several key players in the DevOps world sat down to take a deep dive into the world of DevSecOps. In the following article, we’ll review some of the key points discussed by Ilkka Turunen, head of Solutions Architecture at Sonatype; Zane Lackey, founder of Signal Sciences; and Margo Cronin, senior solution architect for Amazon Web Services during our panel discussion at DOES18.

The first point of the discussion centered around the role of security in DevOps, and how the name “DevSecOps” should never make you think security is secondary.

“I’ve never been crazy about the term DevSecOps, because it’s like ‘Sec’ is an afterthought,” said Turunen. “You know, we were squeezing it in between Dev and Ops, the last kid that got on the bus, and we’re like, go on, just sit in there. For all of us, security is the first priority, the top job—’job zero,’ we sometimes call it. And therefore, for DevOps, it actually understands that security is key, and is the first thing that you do.”

Turunen pointed to recent changes brought on by GDPR that have made privacy one of the pillars of software development, and how this has brought about further emphasis on security in DevOps transformations. In this new world of GDPR regulations, it’s not limited to just data portability and data breech notifications, but truly goes into “privacy by design.” As such, security is paramount.

Later, the conversation turned to the idea of how one can create a culture where everyone thinks of themselves as a security practitioner, a seemingly necessary step to having foolproof security practices. The answer lies in creating an organization where security is part of the fundamental culture—a similar cultural change as to what happened around testing.

“So if you think about testing 10 years ago, it was literally people running from test execution plans, and gradually they changed from that to becoming writers of tests, people that write the automatic-execution, help people, help the floor become more efficient at testing for themselves,” said Turunen. “Teaching them unit testing, all these other frameworks. So I feel like we’re at the brink of a similar kind of change. I think it’s a mixture of both incentives and psychology, and just changing roles.”

Lackey puts it even more simply—that good engineering just goes hand in hand with good security.

“The best way I’ve ever seen, like the highest performing organizations view it, is security is a subset of good engineering. In the way that resiliency is, reliability is, quality is, performance is, is a subset of good engineering,” said Lackey.

Finally, the conversation turned to the role of public cloud service providers and how they can help uplift security for software organizations. For Cronin, the idea of machine learning holds a lot of promise for increasing security.

“You now have services that can scan your landscape and say do you know these large files contain client identifying data, do you know you have keys there?” said Cronin. “And then you have services where you can then change that behavior automatically. But I think that’s where we’re going to see cloud service providers become a lot more active. You know, using machine learning to harden your production landscape before you actually even go to the security operators.”

While the world of DevOps is constantly evolving, growth in highly regulated and compliance-oriented industries—coupled with increased global concern over data privacy—have put increased emphasis on incorporating security throughout the software pipeline. To learn more about how these DevOps experts view DevSecOps, and how they are making security a bigger focus in their organizations, you can watch the entire discussion on DevOps TV.

Bonus: You can also watch Cronin’s DOES18 presentation on “Security Automation at Scale” and Lackey’s presentation on “How You Can Use DevOps to Make You More Secure.”

And be sure to join us next time at DevOps Enterprise Summit Las Vegas, Oct. 22-24, 2018!

— Alan Shimel

Filed Under: Blogs, DevSecOps, Events Tagged With: devops, devsecops, DOES London 2018, security

Sponsored Content
Featured eBook
Hybrid Cloud Security 101

Hybrid Cloud Security 101

No matter where you are in your hybrid cloud journey, security is a big concern. Hybrid cloud security vulnerabilities typically take the form of loss of resource oversight and control, including unsanctioned public cloud use, lack of visibility into resources, inadequate change control, poor configuration management, and ineffective access controls ... Read More
« Continuity In the Technical Hereafter
How ‘Mature’ is Your Data Integration Competency? »

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Continuous Deployment
Monday, July 11, 2022 - 1:00 pm EDT
Using External Tables to Store and Query Data on MinIO With SQL Server 2022
Tuesday, July 12, 2022 - 11:00 am EDT
Goldilocks and the 3 Levels of Cardinality: Getting it Just Right
Tuesday, July 12, 2022 - 1:00 pm EDT

Latest from DevOps.com

Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New Normal’
June 30, 2022 | Richi Jennings
Moving From Lift-and-Shift to Cloud-Native
June 30, 2022 | Alexander Gallagher
The Two Types of Code Vulnerabilities
June 30, 2022 | Casey Bisson
Common RDS Misconfigurations DevSecOps Teams Should Know
June 29, 2022 | Gad Rosenthal
Quick! Define DevSecOps: Let’s Call it Development Security
June 29, 2022 | Don Macvittie

Get The Top Stories of the Week

  • View DevOps.com Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Download Free eBook

Hybrid Cloud Security 101
New call-to-action

Most Read on DevOps.com

Rust in Linux 5.20 | Deepfake Hiring Fraud | IBM WFH ‘New No...
June 30, 2022 | Richi Jennings
Chip-to-Cloud IoT: A Step Toward Web3
June 28, 2022 | Nahla Davies
The Two Types of Code Vulnerabilities
June 30, 2022 | Casey Bisson
Quick! Define DevSecOps: Let’s Call it Development Security
June 29, 2022 | Don Macvittie
Common RDS Misconfigurations DevSecOps Teams Should Know
June 29, 2022 | Gad Rosenthal

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2022 ·Techstrong Group, Inc.All rights reserved.