The perfect blend of development, security, and operations (DevSecOps) can elude many organizations and hamper the digital transformation efforts, even if they think they are on the right path. Sorting out stumbling blocks in DevSecOps and dealing with outright failures in the process took center stage in two keynotes at last week's ONUG Fall 2022 conference in New York City.
James Wickett, co-chair for DevSecOps at ONUG Fall 2022, focused on warnings organizations should pay attention to while Vandana Verma Sehgal, chair of the board of directors with OWASP, examined failures and ways organizations can respond. The event, hosted by ONUG (the Open Networking User Group), brought out the enterprise cloud community to tackle issues.
Wickett gave a keynote on "DevSecOps Warning Signs and What to Do About Them" and dove into breakdowns within enterprises. He is also founder and CEO of DryRun Security.
"Why is DevSecOps not working in many organizations?" Wickett asked. He said in some cases, security might not be included in digital transformation, possibly as a byproduct of moving fast. Security professionals might also see themselves as different from others in the organization, Wickett said, and adopt rather Draconian perspectives. "Many security teams work with the world view where their goal is to inhibit change as much as possible."
Such sentiment can go too far obviously, Wickett said, especially if security puts guardrails around the wrong things and hobbles productivity in the process. "That is a place you don't want to be inside of an organization," he said.
The notion of pitting security versus IT and the business can just be counterproductive, Wickett said. "That is a false sense of transformation."
The premise of DevSecOps, he said, is to take DevOps practices and principles and build security into the cycle, not that security is swooping in to fix DevOps. Wickett suggested developers find ways to give telemetry back for application security, as well as conduct some self-testing. Operations should also add security and telemetry to the observability stack, he said.