Moving from DevOps plus Sec to DevSecOps

Cyber attacks and software security is an ever-growing concern for businesses of all types and sizes and the threat grows exponentially.

In our latest webinar, hosted alongside our partner Snyk, we addressed a key challenge facing many businesses - how to build secure software without slowing down the pace of software development and the path to production. 

The event, featuring Codurance’s Head of Platform Engineering Rodrigo Nascimemto, Snyk’s Partner Solutions Architect Tomas Gonzalez and facilitated by Codurance’s Director UK North, Amelia Bampton set out to define what DevSecOps is, how it solves key software challenges and how it can drive successful outcomes. 

In a pre-Cloud era, developers, operations and security teams tended to work in silos - developers would build code, pass it to ops to manage the provisioning and infrastructure whilst security would ensure auditing and checks were in place to prevent attacks.

However, nowadays with developers building cloud native applications, they are provisioning their own environment and runtime for applications. They have to be expert not just in writing code but also in containers, kubernetes, infrastructure tools and security. 

These new ways of working and responsibilities led to the rise of DevOps and more recently as security takes an ever greater role, to DevSecOps. 

When done well, DevSecOps - the culture of all three disciplines working in unison in a developer-first approach can lead to huge gains in the ‘4 key metrics’ of DevOps - Lead Time, Deployment Frequency, Mean Time to Restore (MTTR) and Change Fail Percentage.

DevSecOps also brings other benefits, for instance reducing cost by fixing early and increasing productivity, driving innovation and a culture of experimentation. 

A key factor of success is aligning people, culture and skills to the technology, data and metrics. With the right metrics and KPIs, supported by the right tooling for visibility, DevSecOps teams can measure vulnerabilities, and provide regular feedback and actions whilst maintaining the pace of the pipeline. This shifting left mentality introduces security early, with developers testing and fixing vulnerabilities when code is in the source control repository. Then, when apps are in production security testing can continue on an ongoing basis as new vulnerabilities are usually disclosed every day throughout the lifecycle.

If businesses are just starting on their journey to DevSecOps, getting security stakeholders involved in the conversation as early as possible is the best approach to ensure buy-in across the organisation and to avoid silos.

Codurance has a proven continuous improvement model (see diagram below) to help businesses implement DevSecOps across the organization covering Assessment,  Strategic Advice, Implementation and Feedback - underpinned with the Snyk tooling to support a developer-first security approach. 


Screenshot 2021-07-16 at 18.13.30


Further Reading

Watch the full webinar including a demo of a modern CI/CD pipeline in action here.

Read Snyk’s State of Cloud Native Application Security Report here.

Read this article by Codurance’s Co-Founder Mash Badar on why DevOps is the guide to your Software Modernisation journey here.

Read the new O’Reilly book Cloud Native Application Security: Embracing Developer-First Security for the Cloud Era by Guy Podjarny, Founder and President of Snyk here.

Read DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement by Glenn Wilson here.

Read The Phoenix Project by Kim, Behr and Spafford here

Read Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems here

Read Accelerate, the Science of DevOps by Forsgren, Humble and Kim here


Want to learn how to build your own world-class team and create a DevSecOps culture to accelerate the path to production in your organisation?  Contact Codurance to discuss your challenges.