Two things define development in business - speed to market and demand for quality. Unfortunately, these two targets rarely move in tandem, and rarely agree with one another. For the developers, speed is only the essence when it is added to the solutions they are building; but for IT operations, it is a critical benchmark and KPI. When security is added on top of this equation, the result is often a clash of clans that does little to enhance solutions. According to Mandla Mbonambi, CEO of Africonology, this is what makes DevSecOps an essential evolution in development, connecting the dots and the silos to deliver relevantly, and timeous, results.
"The complex relationship between dev, ops, and sec has always been there, and it is very unlikely that it will magically go away," he adds. "However, creating DevSecOps teams that recognise the obstacles, the differences and the limitations can go a long way towards resolving some of the complexities that run between these teams, and to improving overall solution delivery."
DevSecOps, if implemented properly, delivers solid business benefits. It can allow for faster value delivery, improved digital transformation integration and innovation, robust security, reduced costs in development and post-implementation security remediation, and increase speed to market. That said, DevSecOps is not sticking disparate teams into a room and waiting for the magic to happen. Successful DevSecOps requires investment into individual, team, and culture.
"There will always be a tension between the developers and the security teams because security has to step in and point at the cracks and find problems with the code," says Mbonambi. "Their job is to poke holes, but developers find the relentless revising of their code as much fun as a root canal. The problem is that security has become fundamental to the business so these two teams have to find a way of working together without one side losing the will to live."
It is a common problem. The Linux Foundation's 2020 FOSS Contributor Survey included quotes that captured the feeling perfectly: "I find the enterprise of security a soul-withering chore" and "I find security an insufferably boring procedural hindrance". These are relatively big boulders to shift out of the way to ensure a seamless connection between developers and security. But they are not impossibly large. After all, if developers and IT operations have managed to smooth many of the lumps in their roads through best practice and cultural shifts, then there is no reason why security cannot enter the fold.
"Skills in development, security, and IT ops are rare enough without losing talent to friction," says Mbonambi. "You want the resilience and scale and security that is promised by DevSecOps, but you do need to invest in a culture that allows for these individuals to work together more efficiently. There will always be push and pull from each team, their goals are too different, so a culture that provides each team with the right space and tools to deliver their jobs with new practices and approaches is essential."
This shift in culture and approach must ensure everyone is on board, and that the new practices work for every member of the team. It also asks that teams are given a line of sight into the roles and challenges that face them - Dev, Sec, and Ops processes and limitations clearly visible to everyone. Transparency reduces friction. It also reduces methodology, toolset, and approach fragmentation. If the line of sight extends throughout the lifecycle and process within the teams, it can minimise the risk of sprawl, fragmentation, and security vulnerabilities.
"This culture shift isn't just for the teams, it is also for the business," says Mbonambi. "Executives need to understand the business value inherent in DevSecOps and the complexities that surround it, and they need to provide support. If stakeholders and leadership recognise the importance of DevSecOps in achieving business goals, they are far more likely to ensure that the teams get the tools, the support, and the room they need to do their jobs properly."
There is immense value sitting within the DevSecOps realm. Organisations can achieve more within increasingly rigorous security parameters, without compromising on quality or market delivery. However, the traditional conflicts between the teams and the complexities of their roles must be recognised and managed to ensure long-term success, and team stickiness.
"It is often worth outsourcing DevSecOps capabilities to organisations that have built up robust and transformative teams that have already leaped the hurdles and built synchronicities," concludes Mbonambi. "If the risk of failure or team fall-out is too high, third-party DevSecOps teams can provide the same agility, scale, and security, without the complexity."