DevOps to DevSecOps Evolution in an Agile Framework.

DevOps has become a common subject and framework adopted throughout the technology industry. Let's discuss why evolving from DevOps to DevSecOps is the next necessary step in the process.  One of the best known practices in DevOps is breaking down silos between teams within each company's technology department as a whole (especially: development, operations, QA) and even navigates into breaking down those silos between technology and the business. If you haven't heard the term "DevOps" already, you'll most likely begin hearing it more as it's adopted on a larger scale even if you do not work in technology. Let's discuss why a DevOps to DevSecOps evolution in an Agile Framework is necessary. For those of you still unfamiliar with DevOps, here's a short description of what it is. DevOps is a set of software development practices that combines software development (Dev) and information technology operations (Ops) to shorten the systems development life cycle while delivering features, fixes, and updates frequently in close alignment with business objectives. DevOps culture stresses small, multidisciplinary teams, who work autonomously and take collective accountability for how actual users experience their software. Everything they do is about making customers' live experience better. DevOps teams apply agile practices and include operations in the team responsibility.  

DevOps practices usually come as a natural extension for organizations that are already practicing the agile approach, and DevOps truly enables agile practices to grow and evolve.

  Most organizations practicing DevOps typically start implementing continuous integration, test-driven development, and test automation early on. Agile delivery teams focus on small, iterative development with increased code quality. With these practices in place, continuous delivery and continuous monitoring practices start taking root. Teams begin focusing on faster delivery with less manual processes or human interaction. Organizations successfully implementing DevOps build more collaboration between development and operations teams as they start working toward a shared goal. While all the above mentioned practices provide strategic benefits like breaking down the traditional silos between development, test, and operations, one of the biggest and most important key factors is still left out of the process. SECURITY! With traditional DevOps, most organizations fail to include their security teams into their development efforts. This can, and most of the time will, result in extensive and lengthy security compliance activities, testing and a lot of vulnerabilities identified late in the delivery life cycle. Education Resources: Suggestions for more reading and classes on DevOps: DevOps.com DevOps Institute Now that we've discussed in short what DevOps is, and the key component of what DevOps sometimes forgets to address, let's get into DevSecOps and how it adds the missing link to the equation.

DevSecOps is the philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a 'Security as Code' culture with ongoing, flexible collaboration between release engineers and security teams.

As you can see below, the flow of DevSecOps includes some of the same ideology as traditional DevOps, but with a layer of security surrounding and being included throughout the whole process, from the very beginning of the development and operations life cycle. "DevSecOps means thinking about and considering application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. Selecting the right tools to continuously integrate security can help meet your security goals, but effective DevOps security requires more than new tools. It builds on the cultural changes of DevOps to integrate the work of security teams sooner rather than later." - RedHat In the older waterfall days of software development, not having security involved from the very beginning wasn't as problematic, because software development cycles sometimes lasted months to even years. Now, with the implementation of Agile, DevOps, and the CI/CD (continuous integration and continuous delivery) pipeline, the days of software development, testing and release cycles are much faster. Some companies push out new software or patches daily, weekly or in integrated releases, all depending on each team's goals and the businesses needs and demands. Therefore, this is why it's more important now than ever to involve security from the beginning of the software or application development process. This strategy helps to prevent slowdowns or impediments at the end of the cycle, which would cause a stop or rework of a previous sprint development cycle. In conclusion, a DevSecOps environment brings security into the picture at the very beginning instead of waiting until the development process or cycle is complete. By doing this, you are breaking down the silo between development, operations, QA and security. This will allow your agile DevOps team to avoid lengthy and strenuous compliance and security audits at the end of the development life cycle. Whether you are just learning or navigating into DevOps, or you've been involved in the cultural change of it for years, I'm sure you can see the benefits of evolving your DevOps culture into a complete DevSecOps culture. This will truly allow security to be a shared responsibility integrated from end to end as DevOps originally intended, but somehow the security aspect got left out along the way.