This is the second in a five-part series on getting started with DevSecOps. Part one gives you nine ways to shift security left. Part three offers concrete steps to add automated security testing into the mix. And part four explains how to build a strong security culture to support your DevSecOps efforts.
Cross-functional collaboration seems like a dry buzzword, but I promise you it’s way better than it sounds. After all, DevOps is cross-functional collaboration. DevSecOps is too. In GitLab’s 2020 DevSecOps Survey, respondents had a plethora of strong reasons to do DevOps, including code quality, faster time to market, and happier developers. But if there are rifts in communication and collaboration, any joint Dev, Sec, or Ops effort will all be for naught.
Collaboration is a core principle of DevOps but it is even more critical when bringing a third element – security – into the mix. Team members should feel comfortable reaching out across functions, asking questions, and sharing (non-sensitive) information. DevSecOps brings a special meaning to collaboration because of the shift in roles and responsibilities introduced by new security efforts. Shifting your security practices left will require some heavy lifting to truly get your DevSecOps practices off the ground.
Leading by example
To begin, leaders from each functional team need to gain a mutual understanding of the other teams’ functions, roadblocks, and goals. Then they should discuss how security will be integrated into dev and ops – both how the lifecycle will flow, and how employees will be onboarded to any new processes. The results of that discussion should be shared across the entire organization to put everyone on the same page.
Organizational heads will need to set an example for their teams. Employees should understand the collaborative work that is being done at the top, and how their own work is part of that effort. Additional expectations should also be communicated. These, as outlined below, should foster a collaborative environment that requires communication and reliability across teams.
Cross-functional team goals
It’s important to start with cross-functional team goals. These can be broad (like "deliver a secure and stable product at every release"), or specific ("add extensive identity verification features while ensuring compliance with GDPR"). Regardless of what the goal is, it should be made clear that employees across all functions are working together to achieve the same thing – and the cross-functional team will be evaluated as a whole.
Peer teaching and peer learning
When security employees understand the function and goals of Dev and Ops, they’ll be able to give better guidance and instruction on how each role can produce secure work. On the other hand, when Dev and Ops understand the function and goals of security, they’ll find it more logical to incorporate new security practices into their day-to-day work. This way, employees will understand how their goals align with and benefit each other. Employees should be encouraged to help one another learn – and certainly should be encouraged to learn from each other with open minds.
Centralized information sharing
For the best possible DevSecOps experience, information needs to live and be shared in a central location – preferably a single platform for the entire DevOps lifecycle. Ideally, the entire project team has access to all the information they need, all in the same place. This minimizes context-switching and reduces the likelihood of information getting lost or missed by team members. Keeping change logs, test and scan results, code reviews and other metrics colocated means everyone knows where to find the information they need to get their job done efficiently.
DevSecOps: Five collaboration goals
What does it look like to have strong collaboration across your teams? Qualitative principles are slightly harder to quantify than things like vulnerabilities, but there are plenty of ways to build your team's collaborative muscles and measure their strength:
- Project planning is a joint effort between Dev, Sec, and Ops.
- Employees have access and actively contribute to a single datastore with reporting and visibility across the DevSecOps lifecycle.
- Vulnerability management, reporting, and remediation will cost less and happen more quickly than before you began your DevSecOps efforts.
- Tools have been consolidated so that development and security can collaborate within the same interface.
- Project delays are rarely caused by lack of communication or information sharing.
How efficient are your DevSecOps practices? Take our DevSecOps Maturity Assessment to find out.
Read more about DevSecOps:
How CI can get you to DevSecOps faster
Why security as code is important
How to integrate security into DevOps
Cover image by Charlie Egan on Unsplash
10 Steps Every CISO Should Take to Secure Next-Gen Software
Understand three software shifts impacting security, and the steps CISOs can take to protect their business.Get the eBook