Silos are great for storing grain. They are awful for DevSecOps (or any organization, really) - and it literally goes against the very foundation of DevOps. DevOps is about increasing communication and coordination and working together across functional areas to make better, more secure, and more resilient software.
The reality is that DevSecOps can actually create another silo, which is exactly why DJ Schleen says that DevSecOps shouldn’t even exist. What?!?!?! Isn’t this a talk about DevSecOps? No - this is a talk about making security a part of everything a DevOps organization does.
DJ Schleen (@dschleen) is currently the VP, Infrastructure and Developer Operations, VillageMD. He is a DevOps pioneer and DevSecOps advocate in the healthcare industry. He provides thought leadership to organizations looking to integrate security into their DevOps practices, and he comes from a practitioner background and specializes in architecting DevSecOps pipelines, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software.
During his talk earlier today at the All Day DevOps conference, No Silos: Building an Effective DevSecOps Program, he shared his number one way (okay, only right way) to implement a DevSecOps organization and its principles. Here it is: stand up a DevOps organization and integrate security across every part of it. Adding Sec to DevOps isn’t what this is about. As DJ says, “Everyone is responsible for security. The definition just undermines the whole purpose.” Additionally, “If you have both a DevSecOps team AND a DevOps team, you are doing it wrong.”
Earlier today we listened to a presentation about value stream management, a concept from lean manufacturing, which Toyota is famous for implementing very effectively. DJ culled on the wisdom of W. Edwards Deming, who helped lead Toyota’s transformation. Deming said, “Quality is pride in one’s workmanship.”
This concept of quality is core to implementing security principles in DevOps. Every team member should have a role and ownership in security. DJ again pulled on car manufacturing for an analogy. In 1981, airbags started being added to cars, and in 1986 high-mounted brake lights were rolled out. Car manufacturers didn’t send the cars on the assembly line to another facility to install these - they added them in the currently existing assembly line. Organizations should do the same for security in DevOps - it should be at every point of the software development life cycle.
DJ has spent most of his career in healthcare, which, in the United States, is subject to HIPPA, a restrictive law to guard privacy of healthcare records. It has a major impact on healthcare technology. He mentioned a stat - 4,467,098. That is the number of healthcare records compromised in the U.S. in January 2021 alone. The threat is real and comes from three main vulnerabilities:
- Patching and IT misconfiguration
- Website and application hack
- Unauthorized access/disclosure
These numbers tell us two things:
- Our application and infrastructure quality SUCKS (regardless if it’s security or not)
- Security is an attribute of quality (not another silo)
The bottom line is that security should be everywhere: DevOps and Automation; Cloud Engineering; Network Engineering; SRE; and, Database Administration, and security is just part of engineering - we just need to think that way and measure it like quality.
DJ has been evangelizing about security being integrated in DevOps for a long time. His talk is worth a listen to anyone who wants to implement security into every aspect of DevOps, and those who aren’t sure yet. You can listen to his talk on-demand by registering online for All Day DevOps.
Founded in 2016, the virtual event gathers more than 25,000 DevOps professionals for free, hands-on education. The All-Day DevOps is a global community of more than 75,000 DevOps practitioners and thought leaders offering free learning, peer-to-peer insights, and networking with professionals worldwide. The community hosts an annual conference, live forums, and ongoing educational experiences online. The 2021 event features a lineup of 180+ speakers in six separate tracks, including CI/CD Continuous Everything, Cultural Transformation, DevSecOps, Government, Modern Infrastructure, and Site Reliability Engineering. All sessions will be available on-demand following the conference. Register online to view the sessions on-demand.