I’m not going to argue about why “Security is Everyone’s Role” - we’ve already agreed that it is, and there is no point in continuing that discussion. Instead, I’ll try to explain how DevSecOps has been influenced by that mindset - and should also be everyone’s business.
A Long Bit of History in Two Minutes
In the beginning there were mainframe-based batch processing applications created by Dev and Ops supporting big computers, but not apps.
Then, light was seen coming from alphanumeric terminals that supported a client server architecture. App specific Ops was born somewhere around this time. Information security -- at least the way how we know it today -- was still nowhere close.
Then God DARPA said, “let there be Internet, be fruitful, and multiply, and replenish the earth with the streams of useful information available to everyone”. We all saw that it was all good, until we noticed one bad thing about it. There were bad guys trying to get access to information that they were not supposed to see. This is when information security was born.
At that time security has been completely separated from Dev and Ops. It was not embedded within any SDLC process. Newly created InfoSec companies were coming in to pen test systems and generate long PDF reports with findings and remediation suggestions. Security was a self-sufficient, black box kind of thing that didn’t care much about how those PDF reports would be used.
Meanwhile, business wanted software development practices to move faster, and Dev responded with Agile methodologies (but completely forgot about Ops, which was deeply rooted to the way new apps and systems were created at that time). It then became obvious that making Ops the part of this process was a must, and this is how DevOps was born.
All of that was good, but very soon everyone has realised that if security remained isolated, there was not much the DevOps movement could do to achieve the business goals mentioned above. Next, the DevSecOps term was coined. (I could find the first use of it in a tweet published on 03/09/2012).
We Are Not Alone
The major question here is: have we included all necessary parties this time? An obvious answer coming from the title of this article is: of course not.
The thing is, while DevSecOps or DevOps concepts could be sufficient for small companies and startups, where any employee belongs to one of Dev, Sec or Ops category -- for bigger, well-established and heavily regulated companies, it’s never the case.
There are many other parties involved: e.g. risk, legal, compliance, governance, change control (yes, it still exists), etc. Believe it or not, all of them are part of a software development process. I can recall a case when in the middle of Dev process when engineers were asking attorneys questions like: “what will happen if we allow users on our system without asking them to agree with our terms”, or “how will this new feature impact our risk and compliance posture”.
Please note that in situations like these, risk, compliance, and legal pros become a part of the software development process. And if a team runs in agile mode, these three groups don’t have the luxury to research a risk, compliance or legal issue for a month or two. They need to provide an answer fast to make sure that Dev, Sec, Ops meet their sprint deadlines.
If you think about all that, you will probably agree that in big organizations DevSecOps is really DevSecOps plus almost everybody else.
We’ve started with Dev, then realized soon that Ops and Sec should be included as well. Now, let us think about how everybody else could be included to the process. It’s not only about integrating automation throughout development, deployment and security, it’s also about big changes in processes. It is also about the way different -- and not necessary technical organizations -- are involved within a software development life cycle and their ability to respond fast to the needs of all other parties involved.
I think, the next big thing, which is coming after DevSecOps is DevSecOpsAndEverybodyElse.
Either do that in your organization, or admit that you can’t keep pace with the speed required by business (and that you are a show stopper party pooper).
Finally, I encourage you to read this year’s full set of responses from the 2018 DevSecOps Community Survey here. The results are fascinating.