Back to Resources

What to Do and What to Avoid When Implementing Security in the DevOps Lifecycle

DevOps is redefining the way organizations handle software development. But it’s also challenging security professionals in their efforts to manage digital risk. With that said, there are security teams need to be strategic about how they approach DevOps security.

Eric Johnson and other DevSecOps experts weigh in on what to do and what to avoid when implementing security in the DevOps lifecycle.

diagram on wow development teams and operations can overlap to produce security in the devops lifecycle

Eric Johnson, Principal Security Engineer, weighs in on where to start adding security into DevSecOps.

“In my experience, I have worked with many organizations and discussed DevSecOps programs with thousands of information security students in the classroom. One of the first topics we discuss is their DevSecOps culture.

Traditional security cultures are always ready to say NO, fail to share information across the organization, and do not tolerate failure. This directly contradicts the DevOps culture, which creates a diverse working environment, empowers teams, enables collaboration and problem-solving, fails fast, and continuously improves. Building a successful DevSecOps program requires security teams to embrace this culture. Security must understand the engineering process and tools that enable DevOps teams to move quickly before contributing.

Many security teams fail because they do not understand the tools, jump in too quickly, and disrupt the engineering workflow. To ensure success, slowly introduce one security control at a time and ensure the results are valuable to the team. Join the DevOps culture by continuously monitoring and improving security processes to minimize disruptions. This often includes evaluating results, fine-tuning scanners, and working directly with the engineering teams to minimize false positives.

Failing to make the culture transition is the primary reason that DevSecOps fails.”