DevOps is all about making better software faster. It also requires making it more safely, while compressing the time between ideation and realization. I hear IT organizations tell me time and again of their ambitions to be the innovation powerhouse for their business. It's great news that most survey respondents (more than 80% in fact) didn't see their AppSec tools as an inhibitor of innovation, but rather a safety measure.
If you've read The Phoenix Project, you'll probably remember the portrayal of John, the CISO. He started the book as an outsider, on a completely different wavelength to other characters. But John was also pivotal to Bill's realization that he needed to amplify the feedback loops between IT and the business and get much closer to his organization's "why." Security has often been a bit of an afterthought in the DevOps world for many organizations, but I hark you back to the "more safely" part of my first sentence.
I recently had a conversation with Magnus Hedemark on LinkedIn, where he pointed out that DevOps breaks the iron triangle of cost, speed and quality. Traditionally, there's always been a trade off where you could only be great at two. For example, you could have speed and quality, but only at very high cost.
In addition to enabling all three attributes of the iron triangle, DevOps gives us a bonus 4th portion of delight: happy people. Thus, the "Beal-Hedemark Golden Square of DevOps" was born. DevOps allows us to deliver at low cost, at high speed and high quality, along with this extra dose of happiness (have you heard of HumanOps or HugOps?).
DevOps-native AppSec tools integrate early into your SDLC, allowing your software engineers to make informed choices about the composition of your applications. DevOps-native tools also help avoid costly future situations and support the Golden Square.
Shifting security left in this way:
-
Saves us money and time down the line by mitigating risk (cost).
-
Reduces the need for expensive and time consuming penetration and vulnerability testing, avoiding any nasty surprises from security incidents and commercial licensing point of views (speed).
-
Automates quality into your tool-chain by integrating these tests into your CI/CD pipelines (quality).
-
Empowers your developers by warning them of the risks as they add artifacts into their applications, and giving them the opportunity to make an informed choice about what would be a better option (happiness).
Building the right AppSec tools seamlessly into the DevOps loop (your continuous release cycle) means your IT delivery value stream operates faster, cheaper and at high quality. Your software engineers are happy because they produce high quality code, your security teams are happy, as they know their policies are being followed and can see it. And most importantly, your customers are happy because they get what they need and everyone is safe.
DevOps-native AppSec tools help drive innovation - they provide light "belt and braces" touch (if that's not too oxymoronic) that allows for the evolution of a safety culture.
Want to learn more about DevSecOps?
This blog is one of seven in a series, providing expert commentary and analysis on the results from Sonatype's 2017 DevSecOps Community Survey.
Tags
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.