Software Development Operations, or DevOps, can go by many names. DevSecOps, inserts Security into the equation while DevSecEthOps throws ethics into the mix, but ultimately the goal of the process is to build secure software – fast.
“It’s DevOps,” said Emily Fox, DevOps Security Lead at the National Security Agency (NSA). “By the very nature and the practices – the three ways and the five ideals – it is secure.”
Speaking during an online event hosted by Red Hat, Fox said if security professionals are left out of the process, then the underlying foundations of why DevOps is important have been missed.
“Bring them along and have the journey together,” said Fox, of security professionals. She then outlined the three ways of the DevOps method – systems thinking, amplifying the feedback loops, and a culture of continual experimentation and learning. Fox said those three map nearly one-to-one with the National Institute of Standards and Technology (NIST) cybersecurity framework.
In the DevOps method, Fox explained that those three ways are implemented with five ideals:
- Locality and simplicity – moving the work to where the developers and the operators are.
- Focus, flow, and joy – creating a noninterrupted path for developers to do their job and making sure staff are actually enjoying their jobs.
- Improvement of daily work – a process which comes through iteration.
- Psychological safety – ensuring staff are completely comfortable coming to leadership team with changes.
- Customer focus – delivering better products.
Ultimately, the DevOps or DevSecOps process is about speed. As one cybersecurity expert said earlier this year, “It’s not a question of if we are going to do DevSecOps,” said Ron Ross, fellow at NIST, “it’s a question of how fast we’re going to do it.”