With the continual vulnerabilities being exploited in applications today it’s important to shed some more light in this area. Many developers and senior tech leaders haven’t yet made the mental switch from “DevOps” to “DevSecOps,” despite some nudging within the tech community and the tech media. What does it take to make a global movement? Hopefully, it won’t take another Heartbleed vulnerability that we experienced a few years ago. This is just one of many we all have seen one too many times.

In the theme of security, we recently discussed incident response plans. Taking this a step further, the focus will be on the security around DevOps.

So, what is DevSecOps? Essentially, it is the idea of incorporating best security practices in the DevOps practice. It is a practice that security and engineering teams need to build into their DNA, collaboratively. This just doesn’t mean when teams feel like it. It means building security right from the start and through the entire process until delivery of the final product. This shift must broaden DevOps strengths to software security.

Building that security foundation

The Scrum framework and Agile methodology are great and should continue to look at efficiencies within the DevOps process. Much of these processes were developed with speed and quality in mind. Initially however, security had been an afterthought and as more vulnerabilities arose, management realized the deep flaw. It’s important we all acknowledge that we need to start building in a little time for security, starting on the front-end. Many developers and project managers are doing this now, but it’s important that the delivery expectations are set at the customer level as well.

So, we have the traditional DevOps and even SecOps, so when will DevSecOps be commonplace?  SecOps evolved from good collaboration between the security and operations teams. Additionally, SecOps ensures that organizations don’t cut corners around security to accomplish operating goals and uptime.

We all know that in our regular dev cycle, starting with requirements and design, security is an afterthought. The good news is SecOps is having influence on the early stages of the software development life cycle (SDLC). As mentioned, a bit earlier, adding security characteristics earlier in the development cycle may pose some challenges in delivery times. Thus, the development and operations teams must work closely to streamline these practices, which includes bringing security in at the beginning of the development cycle. It’s all in the planning.

9 warning signs of bad IT architecture and see why these 10 old-school IT principles still rule. | Sign up for CIO newsletters. ]

Herein lies the challenge. DevOps is accustomed to delivering the products at blazing speed while security is in the middle of everything trying to make it secure. You can’t blame either team for what they are attempting to accomplish – and it’s not for lack of trying. While each team can generally understand what each does and what they are trying to accomplish, they just don’t understand how to get their part done without creating issues for each other. Additionally, much of these encounters are cultural and there needs to be an unbiased champion or executive to help get through conflicts, especially when each team deems their part the priority. To complicate matters, DevOps’ workloads and priorities have only grown, while security’s work has become more tedious with threats becoming more complex.