Understanding DevSecOps as a Philosophy
DevSecOps represents a fundamental shift from security as a gate to security as guardrails. At Leidit, we define it as embedding security practices throughout our development lifecycle. We make security decisions at the speed of development rather than waiting for development to be finished and then tacking security on at the end to get approval.
The Mindset Shift: Secure Design Is Good Design
The biggest mindset shift needed is that “secure design is good design”. Security has always been important, but the stakes are higher now than they have ever been and that won’t change anytime soon. Organizations cannot afford to have security be an afterthought. MVPs are a great way to demonstrate functionality on the development side but should never be a security methodology.
Fostering Collaboration Across Teams
This can be summed up in one word: transparency. When we work with a client, I want everyone to know what we are attempting to accomplish. We organize cross-functional workshops to help spread the word, to build relationships, and to start understanding the unknown. This involves getting security, development, and operations stakeholders on a call to walk through the gameplan and start asking questions. I want those stakeholders involved. If anyone has concerns about a project, it’s much better to understand them early in the project. The earlier we understand security concerns, the more time that we have to address those concerns, lessening the likelihood of project timelines slipping.
Overcoming Common Cultural Friction
Security is too often seen as a necessary evil to development, highlighting a “secure because we have to” approach to development. DevSecOps, on the other hand, challenges organizations to adopt a “secure by design” approach. In my experience, the security team appreciates being invited to the table early on. With security involved throughout the development process, the security review process is much simpler.
Lessons from the Field
It feels cliché to say, but the shift to DevSecOps doesn’t happen overnight. Culture, mindset, and discipline take time to develop. Be okay with having to refine process and learning along the way.
Getting Started: Practical Advice
Start small and celebrate wins early and often. The goal of DevSecOps isn’t to slow down development with security; it’s to embed security throughout the process. When DevSecOps is part of the culture, you shouldn’t see a dramatic difference in the time it takes something to be implemented on production systems.