Security Teams in DevOps? There's No Such Thing
Yesterday, I had an interesting conversation (recording available) with Eliza May Austin, founder of Ladies of London Hacking Society. The podcast has been listened to over 800 times in the first 24 hours, and a lot of the focus of the conversations around the discussion is that many, if not most, people commenting were excited to hear there is no such thing as a security team as part of a DevOps initiative. No one has seen it. It's like a unicorn... fun to talk about, but no such thing. (For those in the London area, Eliza will be delivering the keynote at DevSecOps Days on March 22, and will be talking about this.)
The eye-opening thing for me is that people are happy, and relieved, to hear they are not the only ones encountering this phenomenon. I feel as if I've been living in an echo chamber bubble if security people haven't seen an environment where security is integrated into the software pipeline, not as a silo, but as part of the team. It's intriguing to me that I'm working on a daily basis, advocating for DevSecOps as a cultural transformation, but people in the trenches are saying it's nonexistent.
As the co-founder of the world's largest DevOps conference, All Day DevOps (30,000+ registrations last year), I'm going to see what I can do about this perception. There are definitely companies who can tell the DevSecOps story, but it seems as if the message isn't getting to the people who could utilize that knowledge the most.
Do you agree that DevSecOps is a nice concept, but doesn't exist in the real world? Has your company implemented a DevOps/DevSecOps initiative we can use as a story to show others how it was done? I'm open to both sides.
The floor is open. Let's talk about it.
My stance on information security has always been guard rails over gate keeping. I want to empower my users, not force them to engineer around me, which they will do. So that's a whole hearted yes for me on this statement, together we are better, faster and stronger.
Great question and thread! My own $.02 as an observer and former member of the developer tribe is that the change is coming but it’s slow. I went through the same thing with DBA’s in the early days of continuous integration. The world of the security practitioner is changing around them faster than they can adapt right now. Even so, there are plenty of real world examples where this is happening but we might not see critical mass for another couple of years.
Mark Miller hope this short story helps :)
follow
Continuous everything needs continuous security at all the interface touch points from dev , stage , pre prod, prod etc and cannot be ignored. Else you call be creating continuous vulnerabilities in the name of continuous everything ....#devsecops #devops