Connect with us

Hi, what are you looking for?


Application Security

Shifting to DevSecOps Is as Much About Culture as Technology and Methodology

This move to container-based development and agile methodologies has been great for innovation and iteration, but it’s also brought a massive shift in the application landscape with real impact on security teams. 

This move to container-based development and agile methodologies has been great for innovation and iteration, but it’s also brought a massive shift in the application landscape with real impact on security teams. 

In just the past year or two, DevOps has become much more mature. Today we need to understand risks and implement controls not just for 10 or 20 apps—it’s often hundreds if not thousands.  

And while there are many cloud-native companies built for this new world whose entire application ecosystems are born in the cloud, the majority of companies are at different stages. Some may still be doing much less frequent releases, whether that be annual, quarterly or monthly. Some are still trying to manage their transition from waterfall-style development to modern application development with agile practices. Older, larger companies in particular may have a wide-ranging mixture of legacy on-prem and new, cloud-based apps. 

The complexity can be daunting even for the largest security orgs. You’re not updating once a year, but potentially daily. Each individual app is going to have its own automated development pipeline, which is going to have its own builds, its own releases and multiple different agile teams. 

As more companies go through this cycle of shifting left, it’s only natural to see the business get ahead of security. And as everyone goes through this transition, we’re going to see more exposure as a result of that gap, with the business developing apps at a rate that the security organization is still trying to match. 

The further left an organization has shifted, the more rapid its development, the more adaptable the security team has to be—and the only way to get there is through a true DevSecOps model where security is an intrinsic part of development in a frictionless way. 

With DevSecOps, security orgs can meet the same standards that they’re accustomed to, while also meeting developers where they are, without completely halting the entire process to implement policy. The security team can continuously work in their own workflow and create policies that meet the business’ needs, and the DevOps team can move at the rapid speed of their business requirements. 

Advertisement. Scroll to continue reading.

While it’s tempting to see this as just another “digital transformation,” it’s also not. Yes, there are new technologies digitizing traditional business processes and customer interactions. But beyond the technology itself, security teams must also change the way they work, adopting agile security practices that reflect the way modern dev teams operate. 

And to change the way they work, they also have to change the way they think. Companies tend to overlook the cultural transformation that’s necessary. But without that cultural shift, it doesn’t really matter how agile development works or even what the digital transformation is. 

For security pros, that cultural transformation involves a lot of letting go. You’re not the big policy czar in the sky anymore. In this new world, you have to be able to infuse your understanding of risk and do it at the speed of the business: rapid development, shorter release cycles, staying in the thick of things through collaboration tools like Slack and Microsoft Teams. And that is a massive change in the way many security pros think about their jobs. 

The only way to solve the challenges presented by agile development is by making security a fundamental part of the entire process. It can’t be an afterthought. Otherwise it adds friction, and the dev team continues moving at business speed no matter what. The security team has to be able to adapt to that frictionless environment where tests are conducted as part of the builds and security choices and the decision to release are part of the process, not separate functions.

A true DevSecOps environment involves breaking down barriers and creating a cross functional team focused on one objective. The key is to understand that DevOps is now a way of life, while SecOps is our old way of living. Those personas have to merge into a true DevSecOps model that functions as one. 

What was previously more of a theory for most companies is real today. And the conversation about DevSecOps is just starting.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...