As more organizations rely on a cloud-native approach, they need to take the appropriate steps to secure the software delivery lifecycle. DevSecOps creates a culture of security across the entire organization to better address security vulnerabilities – and there’s no better time to adopt this approach than now. In the first quarter of 2022, data breaches increased 14 percent compared to the first quarter of 2021.
As more organizations shift left to ramp up their DevSecOps initiatives, developers need to understand if and how their role will change to best address security practices. For applicable insights on how developers can up-level their roles for DevSecOps, I asked DevOps Institute Ambassadors to share their insights. Here are the top takeaways:
1. Leverage a DevSecOps evangelist
"We can create a good DevSecOps adoption program with proper target goals. Hence, we need a person with a DevSecOps mindset or to hire a DevSecOps Evangelist who can drive the adoption program. The DevSecOps Evangelist can also start by refocusing the current Dev team capability toward DevSecOps. Once the gap/challenge is defined, we can focus on the weak areas and blockers for the Dev to adopt the DevSecOps approach." - Najib Radzuan, principal, Digi Telecommunications
2. Know where developers can contribute to security
"Software developers should not be required to be security experts, except where they can contribute. Developers need to become more interested in learning about SPDX or Cyclone, adding SBOM and CVE scanning to their pipeline. Centralizing the data so it can be used would also be helpful. New tools are moving into the market around software supply chain management. Developers will need to understand the principles of supply chain management and begin to incorporate them into their pipeline automation." - Tracy Ragan, CEO and co-founder, DeployHub
3. Start with soft skills for better collaboration
"Upskilling Dev team members to DevSecOps knowledge and capabilities starts with DevSecOps foundation-level education. This ensures all team members have a common understanding of soft skills such as collaboration with security experts, DevSecOps terminology, and proven industry DevSecOps practices. DevSecOps practitioner level training is essential to master specific ‘how-to’ skills for individual DevSecOps practices, technologies, and automation capabilities." - Marc Hornbeek, CEO and principal consultant, Engineering DevOps Consulting
4. View DevSecOps from an enterprise perspective
"DevSecOps makes our businesses more efficient and thus more competitive. The journey from Dev to DevSecOps depends on the DevOps maturity of an organization. This means shifting security left in the dev cycle for commercial and public sector enterprises. The following are tips for developers embracing a DevSecOps journey:
- Choose to go for a small Proof of Concept project first
- Plan for Agile and Iterative Code Releases
- Embrace automated testing across your toolchain
- Invest in Upskilling
- Get involved in Security discussions
- Make compliance policies a mandatory gating requirement
- Share security practices across project teams on a regular basis." - Parveen Arora, founder and director, VVnt SeQuor
5. Make it a cultural shift for developers
"DevSecOps is a crucial evolution in the agile/DevOps movement, and it is important for everyone to understand the risks of pushing vulnerable software into production. Upskilling your team or organization to leverage DevSecOps requires a 360-degree cultural shift within the organization from executives to engineering and operations teams. This transition requires additional effort around the tooling, automation, and skilled resources.
"Attending events, workshops and meetups can help developers educate themselves and read about the guidance and principles in accredited papers from security professionals and other governing bodies such as the National Institute of Standards and Technology (NIST).
"There are also technology platform approaches to help augment the skillsets an organization needs today and help developers transition the initial upskilling phase easier with a policy-based pipeline approach. The idea is to bake security gates and processes into the software delivery lifecycle so that vulnerabilities can be addressed or mitigated as your team develops new skills for enhancing its security posture and scaling a DevSecOps program." - Vishnu Vasudevan, head of product, Opsera
6. Focus on the individual developer journey
“DevOps Institute has DevSecOps Foundation and Practitioner courses designed with a developer audience in mind. It also helps to have security personnel work alongside development/product teams for a few months and let them learn by osmosis from one another. I’ve found that the 80:20 rule applies here – about 80 percent of problems are caused by the same 20 percent of vulnerabilities. It’s not as hard as you might think for developers to learn what they need to know. Additionally, by seeing how developers work, security understands how they can provide pre-approved security libraries as early as the IDE and avoid interrupting flow.” - Helen Beal, chief ambassador, DevOps Institute
The entire organization is impacted by DevSecOps adoption. Some of the best things developers can do to evolve their role along with this change include actively learning, participating in the cultural shift, working on human (or soft) skills for optimal collaboration, and looking to specific DevSecOps leadership that may be brought on board to lead the transformation.