Blog Insights How advanced are your DevSecOps practices?
October 21, 2019
3 min read

How advanced are your DevSecOps practices?

Read here what the three levels of DevSecOps practices are and what they include and how to improve your own

advanced-devsecops-practices.jpg

DevSecOps doesn’t happen overnight – between team alignment, new responsibilities, new processes, and automation, there is a lot that needs to happen to reach an advanced state of DevSecOps. Then there's the question of what it means to be advanced. How do you know when you've reached a comfortably mature state? What defines a beginner or intermediate level of DevSecOps maturity?

Analysing your DevOps practicies?

I set out to find answers to these questions and discovered a mountain of different measures. So instead of asking you to take your own journey through DevSecOps self-discovery, I compiled some points of maturity and segmented them into three classes: Beginner, intermediate, and advanced. The folks at the 2018 Open Security Summit agree that DevSecOps maturity is generally evaluated across six dimensions: Technology, processes, culture, tools, automation, and information flow.

DevOps Maturity: Beginner

Teams in the early phases of DevSecOps adoption show clear attempts to change the inertia of their organizations, but don't yet have all people and processes on board. A security mindset and culture is beginning to take hold in these early-stage teams. Testing may be interspersed throughout the development lifecycle, but some of those tests may run manually. The processes and operations used by early-stage teams often lack transparency and standardization. This lack of clarity makes it difficult for teams to reproduce certain activities and requires developers figure out solutions from scratch when taking on a new project.

DevOps Maturity: Intermediate

Many teams at an intermediate level of DevSecOps maturity have accepted that security is everyone's responsibility – and dev, sec, and ops teams are learning how to collaborate efficiently on software development. The pipeline integrates automated security checks at a few points throughout the development lifecycle and provides visibility into the actions taking place. Incident response may still lag behind these newer developments, with teams reacting to incidents rather than proactively defending against them.

DevOps Maturity: Advanced

A mature DevSecOps practice is highly efficient and collaborative. Developers accept ownership of their security responsibilities and run tests against their code at every commit to ensure security and compliance. Each team has visibility into an integrated toolchain (or better yet, a single tool), and developers work quickly within a self-service, easy to use, and centralized platform at every phase. Automation helps teams test and remediate, minimizes back and forth between teams, and brings security to the speed of the business.

As a whole, advanced DevSecOps practices take a proactive approach to security. Compliance and expectations are defined and standardized across teams. Testing should evolve to anticipate the most likely targets for attack. Automated monitoring will continue security efforts after launch, and response plans (for the sec, dev, and ops teams) should be established in case of a breach.

DevSecOps is for everyone

Each step toward DevSecOps is a step in the right direction – and it is increasingly risky to leave security as a bolt-on operation. Regardless of size or history, every company can and should adopt DevSecOps for software development. Strategies may vary: Nimble startups can adjust and adapt quickly, while larger incumbent businesses might begin with a pilot project, or choose to retrofit new security practices to established products.

Photo by Stanislav Kondratiev on Unsplash.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert