DevSecOps doesn’t happen overnight – between team alignment, new responsibilities, new processes, and automation, there is a lot that needs to happen to reach an advanced state of DevSecOps. Then there's the question of what it means to be advanced. How do you know when you've reached a comfortably mature state? What defines a beginner or intermediate level of DevSecOps maturity?
I set out to find answers to these questions and discovered a mountain of different measures. So instead of asking you to take your own journey through DevSecOps self-discovery, I compiled some points of maturity and segmented them into three classes: Beginner, intermediate, and advanced. The folks at the 2018 Open Security Summit agree that DevSecOps maturity is generally evaluated across six dimensions: Technology, processes, culture, tools, automation, and information flow.
Teams in the early phases of DevSecOps adoption show clear attempts to change the inertia of their organizations, but don't yet have all people and processes on board. A security mindset and culture is beginning to take hold in these early-stage teams. Testing may be interspersed throughout the development lifecycle, but some of those tests may run manually. The processes and operations used by early-stage teams often lack transparency and standardization. This lack of clarity makes it difficult for teams to reproduce certain activities and requires developers figure out solutions from scratch when taking on a new project.
Many teams at an intermediate level of DevSecOps maturity have accepted that security is everyone's responsibility – and dev, sec, and ops teams are learning how to collaborate efficiently on software development. The pipeline integrates automated security checks at a few points throughout the development lifecycle and provides visibility into the actions taking place. Incident response may still lag behind these newer developments, with teams reacting to incidents rather than proactively defending against them.
A mature DevSecOps practice is highly efficient and collaborative. Developers accept ownership of their security responsibilities and run tests against their code at every commit to ensure security and compliance. Each team has visibility into an integrated toolchain (or better yet, a single tool), and developers work quickly within a self-service, easy to use, and centralized platform at every phase. Automation helps teams test and remediate, minimizes back and forth between teams, and brings security to the speed of the business.
As a whole, advanced DevSecOps practices take a proactive approach to security. Compliance and expectations are defined and standardized across teams. Testing should evolve to anticipate the most likely targets for attack. Automated monitoring will continue security efforts after launch, and response plans (for the sec, dev, and ops teams) should be established in case of a breach.
DevSecOps is for everyone
Each step toward DevSecOps is a step in the right direction – and it is increasingly risky to leave security as a bolt-on operation. Regardless of size or history, every company can and should adopt DevSecOps for software development. Strategies may vary: Nimble startups can adjust and adapt quickly, while larger incumbent businesses might begin with a pilot project, or choose to retrofit new security practices to established products.