DevSecOps Takes Center Stage
Gartner recently posted their Top 10 Strategic Technology Trends for 2018 and DevSecOps practices made the list.
Here's what they said, "Traditional security techniques using ownership and control rather than trust will not work in the digital world. Infrastructure and perimeter protection won’t ensure accurate detection and can’t protect against behind-the-perimeter insider attacks. This requires embracing people-centric security and empowering developers to take responsibility for security measures. Integrating security into your DevOps efforts to deliver a continuous 'DevSecOps' process."
The Gartner blog details what we've been discussing for quite some time now at Sonatype and that is: traditional security practices can't keep up in a DevOps world. Bolt-on practices at the end of the SDLC won't work. Analysis of applications that take eight to 24 hours to complete don't fit. Open source governance that delivers 90% false positives won't scale. And Dev, Sec, and Ops teams that maintain tribal conflicts, can't evolve to a better state.
When it comes to DevSecOps, we've been writing, organizing conferences, leading discussions, hosting meet-ups, and speaking at industry events on it for about four years now. That said, when your a small but fast-growing technology firm, those early days are often missed by the mainstream; but in 2017, Gartner's coverage really picked up steam. Gartner reported over 600 analyst inquiries on DevSecOps in the past year. They've published numerous reports on DevSecOps led by folks like Neil MacDonald, Ian Head, and Mark Horvath.
Make no mistake. Gartner did not make the DevSecOps market. They are reporting on what they hear from their clients in the market and providing expert guidance to help those customers navigate their own transformations. When Gartner starts regular coverage of a topic, you know that it's gone mainstream.
Whether you are just getting started on your DevSecOps journey or started heading down that path years ago, Gartner offers sage advice in their paper, 10 Things to Get Right for Successful DevSecOps. It offers great perspective and is worth reading.
Great News!!! Securing CI/CD is moving to another level.
Great news that this terminology/concept is on the uptick, even if just verbally, as rational choice continues to be little more than a good theory. Complexity requires capacity, efficiency leads to capacity, organization leads to efficiency. Both DevOps and DevSecOps are attempts at efficiently encapsulating complex ideas and practices. Other than early adopters, most folks, even smart ones use short cuts. In this frantic and complex world, who can blame them. The more a terminology is used the more importance it gains and the more likely that someone takes a moment to understand it. IF the concept is succinct && cogent it stays front of mind and there is the potential for mass adoption. Mass adoption brings with it a lot to consider, but usually preferable to no adoption.
Good bakers put all of the ingredients into the cake batter before they hand it over to the oven.
Agree with article. Wish we'd not toy with term DevOps. Then again I never thought I'd support job titles with DevOps, and now I have one, so I am a hypocrite. I just hope BizDevSecAuditCompMktgSalesOps isn't where we are headed.