DIGITAL ECOSYSTEMS
“ Today in some security teams , there is this approach of the ‘ beatings will continue until morale improves ”
LARRY MACCHERONE DEVSECOPS TRANSFORMATION ARCHITECT , CONTRAST SECURITY
This , Maccherone explains , can result in less effective operations . “ At best , you often get a checkbox-like response . What ’ s the minimum I can do to get you to go away ? And that usually means it ’ s not very effective . They ’ re not sensitive to the context that they ’ re running in . They ’ re not adapted to modern approaches to development . If you only enforce the ones that are appropriate , then that seems arbitrary . And the developers start to think , if they don ’ t have to do some of these policies , why should they have to do any of the others ?
“ But if you tried to enforce all of it , it would be too much information . It ’ s depressing , as a solution , and it doesn ’ t work .”
As a result , organisations can take a new approach , enabling true DevSecOps .
“ DevSecOps is about empowering engineering teams and collaborating with engineering teams ,” Maccherone explains . “ But that isn ’ t enough . It ’ s not even enabling them because you can lead a horse to water . That ’ s the enabling part . But you can ’ t make them drink .
“ I don ’ t want them to be made to drink . I want them to be able to lead themselves to water and drink . Empowering is the right word here to take ownership of the security of their products . You can ’ t have DevSecOps without DevOps .”
Implementing a culture of DevSecOps This , Maccherone explains , involves implementing a culture of flow feedback , of experimentation and of learning . Better collaboration between development , security , and operations teams improves an organisation ’ s response to incidents and problems when they occur .
“ This is the real definition of DevOps and it and if you aren ’ t actually buying into these concepts , you ’ re not really doing DevOps in my mind .”
Ultimately , this process aims to continue to provide value , delivering security at speed ,” Maccherone concludes . “ We can never forget that roadmaps have to have to be maintained , they have to be met and we have to keep delivering software . We can ’ t stop the presses too , to do some security .
“ We have to hopefully accelerate security in the long run ,” he adds . “ I don ’ t like to talk about policies , I prefer to talk about practices because the policy is something somebody says you must do .
“ Practice is what you actually do . And so I want people to adopt practices . I want development teams to adopt practices , to identify a list of practices that you want to encourage , and ultimately empower engineering teams to adopt .”
technologymagazine . com 67