The most important win in a DevSecOps implementation is that security is baked in to the entire software development and IT processes much earlier as opposed to being bolted on after a software is development and deployed. Ownership of security lies with everyone involved in DevOps so people feel accounted for. Security becomes a continuous process and continuous though and seldom gets off of the radar. We have seen organization where DevSecOps initiatives resulted in faster software deliveries because security and compliance requirements were no longer slowing down the software delivery speeds. Improved collaboration between security and DevOps teams so that quality and security of the software increases exponentially.
With DevSecOps vulnerabilities in code and design are identified very early in software development lifecycle and IT operations plan the infrastructure needs with security software development frameworks and hardened services, containers, and virtual machine images with desired state configuration and infrastructure as code. New developments like Compliance as Code expresses security and compliance requirements in the form of version controlled human readable code which enhances audit trails, and aids in quick and repeatable security tests against the hardened infrastructure.
Identify your organizations security posture and assess what kind of tools, practices are in place to ensure security. Identify the areas where security does not adequately catch up with the speed of business delivery and does not cater to the needs of business due to traditional security practices and tools. Start with a small pilot DevSecOps initiative with a Business Unit or a Software Delivery Team that has faces security challenges and could take advantage of the DevSecOps benefits. Train your workforce such that the Business Analysts and Product Owners know what security risks they are up against, developers and operations know how to secure by design and how to respond to security incidents.
Leverage the state of the art security tooling to bring security closer to developers and in to their well known build systems. Always remember to stay focused in bring security earlier in the software development lifecycle and take advantage of techniques like Agile Threat Modelling to focus on security testing efforts and to identify technical security requirements right before coding or any code is written. Bring in automated scanned techniques to reject build check ins if the software contains vulnerable versions of open source software libraries and third party components components.
For more strategic and implementation details, please refer to our Software Security Maturity Model and our recent DevSecOps casestudy.