Nimmy Reichenberg recently wrote an article on SecurityWeek describing the “Three C’s” of team based application development: Collaboration, Communication and Co-Ownership. He calls this “Extending the DevOps Model“, with the premise that DevOps use Agile techniques to refine their processes, but the security team, by its very nature, slows down the process.
As I delve deeper into the DevOps mindset, this seems to be a consistent issue. The most effective way to handle this is to move security into the development cycle, from the beginning, so that it becomes part of the process, not a free standing silo, as Reichenberg refers to it.
“Instead of working in silos, if all of the key stakeholders understand and are involved in the change process from the beginning, you can ensure the proper checks and balances and provide the proper visibility from all angles” – Nimmy Reichenberg
If we think of the DevOps process as a linear timeline, security can be pushed back as close to the beginning of the timeline as possible, making it integral to development. I’ve seen the terminology “moving left” or “shifting left” to describe the concept.
Reichenberg’s conclusion is “Agility is the name of the game, and it shouldn’t stop at DevOps.” You can read the complete article here: Extending the DevOps Model to Achieve Operational Excellence and Improved Security